{ "type": "URL", "indicator": "https://123.207.211.161/dot.gif", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://123.207.211.161/dot.gif", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3697158204, "indicator": "https://123.207.211.161/dot.gif", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "65bbe07f0780cef1c48ccae4", "name": "access.blackbagtech.com", "description": "innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices.\nIn this instance Pegasus was deployed against the survivor of hungry, injurious SA against Brashears; allegedly assaulted by PT Jeffrey Reimer in AMS Concentra/Select Physical Therapy in Denver, Co. Rather than investigate DPT Reimer, law enforcement launched attack against victim ( SCI/TBI). Brashears was threatened by Mark Montana MD, lawyer and Workers Compensation doctor. Denied care, equally aggressive Montano wage effort to ensure silence and wides bid for Douglas County, Colorado Coroner election. Fraud, framing, death threats ensued. Montano threatened Brashears with his alleged best friend Tony Spurlock, promising a battle against her Court documented. \nBrashears is in danger.", "modified": "2024-03-02T17:02:51.870000", "created": "2024-02-01T18:18:39.156000", "tags": [ "ssl certificate", "whois record", "pegasus", "cellbrite", "targets sa", "survivor", "blackbag", "relations apple", "mdm hacking", "communicating", "execution", "contacted", "quasar", "kgs0", "malware", "core", "hacktool", "ransomexx", "azorult", "emotet", "remcos", "agent tesla", "grandoreiro", "targeting tsara brashears", "delphi programming", "access", "local law enforcement", "quasi case", "framing", "jeffrey reimer dpt 'reported' assaulter", "state and governments cover white offender jeffrey reimer", "indian mix brashears physically attacked often followed", "death threats", "alienvault results removed from search results", "brashears tagged in adult content - not removed", "brashears blacklisted", "reimer promoted", "false criminal records created about brashears", "brashears family identity theft", "judge sided with brashears", "brashears given less than $10000 by Brian sabey", "brian sabey constant contact ) threats", "brashears stalked", "reimer protected and hidden", "pegasus technology disallows victim to report to regulatory boar", "aig", "industry and commerce", "danger", "rob neill drives brashears off road", "brashears further injured", "neill positively identified - no charges", "malvertizing", "botnet", "fraud apple support chats", "falsified medical records", "denied healthcare", "hydrocephalus not disclosed", "permanent damage", "corruption", "burg simpson corruption", "Denver trial attorneys tell brashears statute is 6 years in colo", "da informs brashears no statute", "brashears denied disability benefits for years", "remember george floyd? brashears survived that injury", "brashears cannot digest food", "brashears can't toilet", "jeffrey reimer was reported early", "brashears bullied to return to PT due to workers compensation ru", "montano threatened brashears with breaking the law if not return", "reimer recorded", "recordings stored online", "recordings retrieved by bgp", "bryan counts made aware of recordings", "recordings demanded", "america?", "advocates ensure the rights of others", "make others aware", "who else is unheard.", "non stop harassment", "constant car bomb threats", "brashears unable to properly articulate", "nothing new", "assaulted by man demanding phone", "no charges", "Brian sabey brings case to silence brashears", "sabey motions dismissed", "pegasus involves malicious actions by humans", "pegasus attackers do kill", "pegasus attackers make in person contact", "overly large campaign", "private investigators tailed stalkers. became afraid when learni", "discrimination", "hacking", "tracking", "car hacking", "apple", "android overlay", "network rats", "brashears denied vocational rehab twice", "brashears unhirable due to online profile", "employer rightfully consider brashears attack a risk to others", "group hacked intermountain healthcare", "group hacked uchealth colorado", "group hacked esurance" ], "references": [ "access.blackbagtech.com", "The only thing necessary for the triumph of evil is for good men to do nothing.\u201d" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 87, "FileHash-SHA1": 78, "FileHash-SHA256": 2075, "URL": 2696, "domain": 710, "hostname": 827, "CVE": 1 }, "indicator_count": 6474, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "860 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "884 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658741502e029e25c7152cc0", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:36.641000", "created": "2023-12-23T20:21:36.641000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "891 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6587414f2e029e25c7152cbf", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:35.725000", "created": "2023-12-23T20:21:35.725000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "891 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c7a11d7541bdb3bfe5ff", "name": "Radar Ineractive. Law Firm responsible for cyber crime.", "description": "Is this legal. Attorney from Hall Render law firm cyber stalking and malvertizing targets in adult content, dungeons, death scenarios, suicide threats? Pulse auto populates targets: Tsara Brashears 'alleged' SA victim. This may not be the forum for my , death threats should always be investigated as should allegations of assault. Malware, BotNet, car and phone tracking, monitoring, injection, .gov is found throughout. Monitoring of Safebae.org; online movement began by now deceased 'alleged' SA victim, Daisy Coleman of Audrey & Daisy. High Risk surviving target. Crazy cover up? Each target seems to have a state government power 'implicated' in attack. \n\nEd Said", "modified": "2023-12-16T19:40:11.047000", "created": "2023-11-03T10:12:49.539000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1644, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13455, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c99af21a2fde7bd6927e", "name": "Occamy Remote PC / Device Control ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T10:21:14.428000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544d9b0f9b23205eb355210", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T11:29:52.652000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65459cbd3069e99e327642b6", "name": "Resources Hijacking ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:22:05.691000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545a303731b2df439eb1a3b", "name": "Occamy Remote PC / Device Control", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:48:51.255000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545bda27bd3a147ebac71a8", "name": "CNC Feodo Tracker | Resources Hijacking by Attorney ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T03:42:26.978000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6546d206936ee17a0828d9c9", "name": "Deptlock Browser Compromise attack initiated by malicious (SOC) Partner ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T23:21:42.110000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a94d1bdedd646afda170d", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-12-02T02:22:09.814000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6488fcbcea478acd3a36e7f5", "name": "Twitter Feed - drb_ra - 13-06-2023", "description": "", "modified": "2023-07-13T23:05:28.381000", "created": "2023-06-13T23:33:16.131000", "tags": [ "CobaltStrike", "Qakbot", "Dcrat" ], "references": [ "https://twitter.com/drb_ra/status/1668443301844774912", "https://twitter.com/drb_ra/status/1668443535127859200", "https://twitter.com/drb_ra/status/1668443621283037184", "https://twitter.com/drb_ra/status/1668543867543605248", "https://twitter.com/drb_ra/status/1668549121743921153", "https://twitter.com/drb_ra/status/1668549192275443713", "https://twitter.com/drb_ra/status/1668594279327887360", "https://twitter.com/drb_ra/status/1668594405438046213", "https://twitter.com/drb_ra/status/1668594559121596416", "https://twitter.com/drb_ra/status/1668594625899032576", "https://twitter.com/drb_ra/status/1668594777535705089", "https://twitter.com/drb_ra/status/1668594851573645312", "https://twitter.com/drb_ra/status/1668595044771672064", "https://twitter.com/drb_ra/status/1668595085389209603", "https://twitter.com/drb_ra/status/1668595410200305664", "https://twitter.com/drb_ra/status/1668603446260277255", "https://twitter.com/drb_ra/status/1668610507417485313", "https://twitter.com/drb_ra/status/1668612797792681984", "https://twitter.com/drb_ra/status/1668613592432918529", "https://twitter.com/drb_ra/status/1668655131284455424", "https://twitter.com/drb_ra/status/1668655156949397529", "https://twitter.com/drb_ra/status/1668655178050940950", "https://twitter.com/drb_ra/status/1668655202344357889", "https://twitter.com/drb_ra/status/1668655221575233551", "https://twitter.com/drb_ra/status/1668655244056702979", "https://twitter.com/drb_ra/status/1668655273341333515", "https://twitter.com/drb_ra/status/1668655291070656515", "https://twitter.com/drb_ra/status/1668655309554868224", "https://twitter.com/drb_ra/status/1668655327267504128", "https://twitter.com/drb_ra/status/1668655347907657729", "https://twitter.com/drb_ra/status/1668655381185282050", "https://twitter.com/drb_ra/status/1668655408431472640", "https://twitter.com/drb_ra/status/1668655434171920397", "https://twitter.com/drb_ra/status/1668655465734066177", "https://twitter.com/drb_ra/status/1668655511498027008", "https://twitter.com/drb_ra/status/1668655540833071107", "https://twitter.com/drb_ra/status/1668655573175513088", "https://twitter.com/drb_ra/status/1668655593446338561", "https://twitter.com/drb_ra/status/1668655620088639488", "https://twitter.com/drb_ra/status/1668655651248123906", "https://twitter.com/drb_ra/status/1668655680918630415", "https://twitter.com/drb_ra/status/1668655702213025794", "https://twitter.com/drb_ra/status/1668655744181313536", "https://twitter.com/drb_ra/status/1668655781611200512", "https://twitter.com/drb_ra/status/1668691173936865289", "https://twitter.com/drb_ra/status/1668691214361673728", "https://twitter.com/drb_ra/status/1668691256015200276", "https://twitter.com/drb_ra/status/1668691356305203200", "https://twitter.com/drb_ra/status/1668691739379376144", "https://twitter.com/drb_ra/status/1668691767758037012", "https://twitter.com/drb_ra/status/1668691915192016900", "https://twitter.com/drb_ra/status/1668691936557801503", "https://twitter.com/drb_ra/status/1668691948461236239", "https://twitter.com/drb_ra/status/1668691960905736200", "https://twitter.com/drb_ra/status/1668691974612742144", "https://twitter.com/drb_ra/status/1668692053134286855", "https://twitter.com/drb_ra/status/1668692070536454173", "https://twitter.com/drb_ra/status/1668692085350735889", "https://twitter.com/drb_ra/status/1668692120931016723", "https://twitter.com/drb_ra/status/1668692183627473128", "https://twitter.com/drb_ra/status/1668692240766476294", "https://twitter.com/drb_ra/status/1668692387047022593", "https://twitter.com/drb_ra/status/1668692404570824705", "https://twitter.com/drb_ra/status/1668692443150299136", "https://twitter.com/drb_ra/status/1668692461026156555", "https://twitter.com/drb_ra/status/1668692486737240091", "https://twitter.com/drb_ra/status/1668692505464807449", "https://twitter.com/drb_ra/status/1668692528978075658", "https://twitter.com/drb_ra/status/1668701433846267912", "https://twitter.com/drb_ra/status/1668701920926613507", "https://twitter.com/drb_ra/status/1668715031268081666", "https://twitter.com/drb_ra/status/1668744312560013314", "https://twitter.com/drb_ra/status/1668744391115128834", "https://twitter.com/drb_ra/status/1668744450909020160" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 52 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1054 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/drb_ra/status/1668603446260277255", "https://twitter.com/drb_ra/status/1668655511498027008", "https://twitter.com/drb_ra/status/1668744450909020160", "https://twitter.com/drb_ra/status/1668655244056702979", "wTools", "https://twitter.com/drb_ra/status/1668655620088639488", "https://twitter.com/drb_ra/status/1668613592432918529", "https://twitter.com/drb_ra/status/1668610507417485313", "https://twitter.com/drb_ra/status/1668692240766476294", "https://twitter.com/drb_ra/status/1668655540833071107", "https://twitter.com/drb_ra/status/1668655408431472640", "https://twitter.com/drb_ra/status/1668655744181313536", "https://twitter.com/drb_ra/status/1668744391115128834", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/drb_ra/status/1668655465734066177", "https://twitter.com/drb_ra/status/1668691974612742144", "The only thing necessary for the triumph of evil is for good men to do nothing.\u201d", "https://twitter.com/drb_ra/status/1668594559121596416", "https://twitter.com/drb_ra/status/1668692387047022593", "https://twitter.com/drb_ra/status/1668655781611200512", "https://twitter.com/drb_ra/status/1668692486737240091", "https://twitter.com/drb_ra/status/1668443535127859200", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/drb_ra/status/1668594777535705089", "https://twitter.com/drb_ra/status/1668691739379376144", "http://alohatube.xyz/search/tsara-brashears", "https://twitter.com/drb_ra/status/1668692528978075658", "https://twitter.com/drb_ra/status/1668595410200305664", "https://twitter.com/drb_ra/status/1668655131284455424", "https://twitter.com/drb_ra/status/1668655178050940950", "http://www.hallrender.com/resources/blog/", "https://twitter.com/drb_ra/status/1668655221575233551", "http://benjamin.xww.de/", "https://twitter.com/drb_ra/status/1668543867543605248", "safebae.org", "Hybrid Analysis", "https://twitter.com/drb_ra/status/1668692183627473128", "https://twitter.com/drb_ra/status/1668594625899032576", "https://twitter.com/drb_ra/status/1668443621283037184", "https://twitter.com/drb_ra/status/1668701920926613507", "https://twitter.com/drb_ra/status/1668715031268081666", "https://twitter.com/drb_ra/status/1668655593446338561", "access.blackbagtech.com", "https://twitter.com/drb_ra/status/1668692053134286855", "https://twitter.com/drb_ra/status/1668692120931016723", "https://twitter.com/drb_ra/status/1668549121743921153", "https://twitter.com/drb_ra/status/1668595044771672064", "Research", "https://twitter.com/drb_ra/status/1668655573175513088", "https://twitter.com/drb_ra/status/1668655273341333515", "https://twitter.com/drb_ra/status/1668692404570824705", "https://twitter.com/drb_ra/status/1668612797792681984", "https://twitter.com/drb_ra/status/1668655202344357889", "https://twitter.com/drb_ra/status/1668744312560013314", "https://twitter.com/drb_ra/status/1668655680918630415", "https://twitter.com/drb_ra/status/1668443301844774912", "https://twitter.com/drb_ra/status/1668691960905736200", "https://twitter.com/drb_ra/status/1668655651248123906", "https://twitter.com/drb_ra/status/1668691256015200276", "https://twitter.com/drb_ra/status/1668655327267504128", "https://twitter.com/drb_ra/status/1668594279327887360", "https://www.hallrender.com/attorney/brian-sabey", "https://twitter.com/drb_ra/status/1668692505464807449", "https://twitter.com/drb_ra/status/1668594405438046213", "https://twitter.com/drb_ra/status/1668595085389209603", "https://twitter.com/drb_ra/status/1668549192275443713", "https://twitter.com/drb_ra/status/1668655156949397529", "https://twitter.com/drb_ra/status/1668655434171920397", "https://twitter.com/drb_ra/status/1668691214361673728", "https://twitter.com/drb_ra/status/1668692461026156555", "poemhunter.com", "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://twitter.com/drb_ra/status/1668692070536454173", "https://twitter.com/drb_ra/status/1668594851573645312", "https://twitter.com/drb_ra/status/1668701433846267912", "https://twitter.com/drb_ra/status/1668655347907657729", "https://twitter.com/drb_ra/status/1668691173936865289", "https://twitter.com/drb_ra/status/1668691356305203200", "https://twitter.com/drb_ra/status/1668692443150299136", "https://twitter.com/drb_ra/status/1668655309554868224", "https://twitter.com/drb_ra/status/1668655702213025794", "https://twitter.com/drb_ra/status/1668691936557801503", "https://twitter.com/drb_ra/status/1668691948461236239", "https://twitter.com/drb_ra/status/1668655291070656515", "https://twitter.com/drb_ra/status/1668655381185282050", "https://twitter.com/drb_ra/status/1668691767758037012", "https://twitter.com/drb_ra/status/1668692085350735889", "https://twitter.com/drb_ra/status/1668691915192016900" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tulach | Mark Brian Sabey | Hall Render Law Firm", "NSO Group" ], "malware_families": [ "Rms", "Yixun", "Maltiverse", "Nanocore rat", "Slfper:browsermodifier:win32/mediamagnet", "Wacatac", "Hsbc", "Radar ineractive", "Noname057", "Feodo tracker", "Vidar", "Domains", "Agent tesla", "Tiggre", "Br", "Redline", "Cutwail", "Virut", "Inmortal", "Formbook", "Occamy", "Xrat", "Tulach malware", "Zbot", "Zpevdo", "Nymaim", "Opencandy", "Iobit", "Emotet", "Systweak", "Suppobox", "Webtoolbar", "Trojanspy", "Darkside .beware", "Sality" ], "industries": [ "Health" ], "unique_indicators": 36970 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/123.207.211.161", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "65bbe07f0780cef1c48ccae4", "name": "access.blackbagtech.com", "description": "innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices.\nIn this instance Pegasus was deployed against the survivor of hungry, injurious SA against Brashears; allegedly assaulted by PT Jeffrey Reimer in AMS Concentra/Select Physical Therapy in Denver, Co. Rather than investigate DPT Reimer, law enforcement launched attack against victim ( SCI/TBI). Brashears was threatened by Mark Montana MD, lawyer and Workers Compensation doctor. Denied care, equally aggressive Montano wage effort to ensure silence and wides bid for Douglas County, Colorado Coroner election. Fraud, framing, death threats ensued. Montano threatened Brashears with his alleged best friend Tony Spurlock, promising a battle against her Court documented. \nBrashears is in danger.", "modified": "2024-03-02T17:02:51.870000", "created": "2024-02-01T18:18:39.156000", "tags": [ "ssl certificate", "whois record", "pegasus", "cellbrite", "targets sa", "survivor", "blackbag", "relations apple", "mdm hacking", "communicating", "execution", "contacted", "quasar", "kgs0", "malware", "core", "hacktool", "ransomexx", "azorult", "emotet", "remcos", "agent tesla", "grandoreiro", "targeting tsara brashears", "delphi programming", "access", "local law enforcement", "quasi case", "framing", "jeffrey reimer dpt 'reported' assaulter", "state and governments cover white offender jeffrey reimer", "indian mix brashears physically attacked often followed", "death threats", "alienvault results removed from search results", "brashears tagged in adult content - not removed", "brashears blacklisted", "reimer promoted", "false criminal records created about brashears", "brashears family identity theft", "judge sided with brashears", "brashears given less than $10000 by Brian sabey", "brian sabey constant contact ) threats", "brashears stalked", "reimer protected and hidden", "pegasus technology disallows victim to report to regulatory boar", "aig", "industry and commerce", "danger", "rob neill drives brashears off road", "brashears further injured", "neill positively identified - no charges", "malvertizing", "botnet", "fraud apple support chats", "falsified medical records", "denied healthcare", "hydrocephalus not disclosed", "permanent damage", "corruption", "burg simpson corruption", "Denver trial attorneys tell brashears statute is 6 years in colo", "da informs brashears no statute", "brashears denied disability benefits for years", "remember george floyd? brashears survived that injury", "brashears cannot digest food", "brashears can't toilet", "jeffrey reimer was reported early", "brashears bullied to return to PT due to workers compensation ru", "montano threatened brashears with breaking the law if not return", "reimer recorded", "recordings stored online", "recordings retrieved by bgp", "bryan counts made aware of recordings", "recordings demanded", "america?", "advocates ensure the rights of others", "make others aware", "who else is unheard.", "non stop harassment", "constant car bomb threats", "brashears unable to properly articulate", "nothing new", "assaulted by man demanding phone", "no charges", "Brian sabey brings case to silence brashears", "sabey motions dismissed", "pegasus involves malicious actions by humans", "pegasus attackers do kill", "pegasus attackers make in person contact", "overly large campaign", "private investigators tailed stalkers. became afraid when learni", "discrimination", "hacking", "tracking", "car hacking", "apple", "android overlay", "network rats", "brashears denied vocational rehab twice", "brashears unhirable due to online profile", "employer rightfully consider brashears attack a risk to others", "group hacked intermountain healthcare", "group hacked uchealth colorado", "group hacked esurance" ], "references": [ "access.blackbagtech.com", "The only thing necessary for the triumph of evil is for good men to do nothing.\u201d" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 87, "FileHash-SHA1": 78, "FileHash-SHA256": 2075, "URL": 2696, "domain": 710, "hostname": 827, "CVE": 1 }, "indicator_count": 6474, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "860 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "884 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658741502e029e25c7152cc0", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:36.641000", "created": "2023-12-23T20:21:36.641000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "891 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6587414f2e029e25c7152cbf", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:35.725000", "created": "2023-12-23T20:21:35.725000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "891 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c7a11d7541bdb3bfe5ff", "name": "Radar Ineractive. Law Firm responsible for cyber crime.", "description": "Is this legal. Attorney from Hall Render law firm cyber stalking and malvertizing targets in adult content, dungeons, death scenarios, suicide threats? Pulse auto populates targets: Tsara Brashears 'alleged' SA victim. This may not be the forum for my , death threats should always be investigated as should allegations of assault. Malware, BotNet, car and phone tracking, monitoring, injection, .gov is found throughout. Monitoring of Safebae.org; online movement began by now deceased 'alleged' SA victim, Daisy Coleman of Audrey & Daisy. High Risk surviving target. Crazy cover up? Each target seems to have a state government power 'implicated' in attack. \n\nEd Said", "modified": "2023-12-16T19:40:11.047000", "created": "2023-11-03T10:12:49.539000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1644, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13455, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c99af21a2fde7bd6927e", "name": "Occamy Remote PC / Device Control ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T10:21:14.428000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544d9b0f9b23205eb355210", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T11:29:52.652000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65459cbd3069e99e327642b6", "name": "Resources Hijacking ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:22:05.691000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://123.207.211.161/dot.gif", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://123.207.211.161/dot.gif", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780408631.1990337 }