{ "type": "URL", "indicator": "https://a.oooooooooo.ga/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://a.oooooooooo.ga/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3806047009, "indicator": "https://a.oooooooooo.ga/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 29, "pulses": [ { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9e7c572b8411d126215a6", "name": "@scoreblue callback clone", "description": "", "modified": "2026-03-06T05:11:18.020000", "created": "2026-03-05T20:29:57.169000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a052c4160dbd76054f8a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3267, "domain": 1459, "hostname": 1268, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fee4dec993692315eb9e9", "name": "NjRAT | Threat Network | https://www.poemhunter.com/tsara-brashears ", "description": "", "modified": "2024-09-05T07:13:57.083000", "created": "2023-12-18T07:01:33.682000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "657fed19f6d24e751fa82de8", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2775, "URL": 7125, "domain": 1726, "hostname": 2417 }, "indicator_count": 14348, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c91f2b7c03b480379ae4d1", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender", "description": "1st time researching https://house.mo.gov/ & house.mo.gov. False arrest records of a target originated from Missouri. A glitch delete pulses & references in bulk.\nPegasus is the should be illegal. Destroying evidence of a truth that would be believed if heard. Spying for dirt to discredit. Target heavily deterred by cyber warfare, healthcare fraud, injuries, financial difficulties due to hacked away businesses, strange shadowy government abused, in person stalking, threats and physical attacks, denied disability with a spinal cord injury?\nhttps://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "modified": "2024-03-12T15:03:06.954000", "created": "2024-02-11T19:25:31.451000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 148, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1373, "FileHash-SHA1": 1174, "FileHash-SHA256": 6417, "URL": 4264, "domain": 2304, "hostname": 2413, "CVE": 4, "email": 15, "CIDR": 1 }, "indicator_count": 17965, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b9716ef65566497546a7b1", "name": "Callback Phishing Campaign | Pegasus | https://safebae.org/", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T22:00:14.725000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a05a0b9ebf8d916f0a6d", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:10.072000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a056f2c1f16d391175b0", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:06.711000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a052c4160dbd76054f8a", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:02.918000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8c8b8997508722c642ee", "name": "Phishing Campaign | Pegasus ", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-03T18:57:15.475000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970b55f5040aee8c91a55", "name": "Callback Phishing Campaign | Pegasus", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-12T01:13:25.034000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809ec9da9326e1bdf8743", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:20.769000", "created": "2024-01-29T20:26:20.769000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809eabd76cbbfdfc07c6e", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:18.174000", "created": "2024-01-29T20:26:18.174000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fed19f6d24e751fa82de8", "name": "Lazarus Hosts | https://www.poemhunter.com/tsara-brashears", "description": "", "modified": "2024-01-17T01:04:01.912000", "created": "2023-12-18T06:56:25.399000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "657fbac9a03d611624985685", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2657, "URL": 6244, "domain": 1672, "hostname": 2213 }, "indicator_count": 13091, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fbac9a03d611624985685", "name": "Lazarus Matrix | https://www.poemhunter.com/tsara-brashears", "description": "Search content targeting American independent artist & publisher; Tsara Brashears. was prominently malvertized before being blacklisted for malicious content. Miscellaneous network, libel, tagging, adult content, social engineering, fine deletion , multiple bot networks. Virus network smear campaign launched by Brian Sabey of Hall Render includes; safebae.org, rallypoit.com, Westlaw.com, \n www.poemhunter.com, pornhub.sev. apple.com, nr- data.com, cia.gov+ \n tracking, hacking monitoring, modifying. banking, ddos, ransomware, webcam, medical records, email threats, attempts. Active 'SA' silencecing campaign. Target & associated in danger. \n \nCritical threat to public. Compromised business with more than 2+ million downloads. Downloads amended by hackers, audience deleted.", "modified": "2024-01-17T01:04:01.912000", "created": "2023-12-18T03:21:45.890000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2657, "URL": 6244, "domain": 1672, "hostname": 2213 }, "indicator_count": 13091, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fbac7f0d96f1ad5d90ccb", "name": "Lazarus Matrix | https://www.poemhunter.com/tsara-brashears", "description": "Search content targeting American independent artist & publisher; Tsara Brashears. was prominently malvertized before being blacklisted for malicious content. Miscellaneous network, libel, tagging, adult content, social engineering, fine deletion , multiple bot networks. Virus network smear campaign launched by Brian Sabey of Hall Render includes; safebae.org, rallypoit.com, Westlaw.com, \n www.poemhunter.com, pornhub.sev. apple.com, nr- data.com, cia.gov+ \n tracking, hacking monitoring, modifying. banking, ddos, ransomware, webcam, medical records, email threats, attempts. Active 'SA' silencecing campaign. Target & associated in danger. \n \nCritical threat to public. Compromised business with more than 2+ million downloads. Downloads amended by hackers, audience deleted.", "modified": "2024-01-17T01:04:01.912000", "created": "2023-12-18T03:21:43.483000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2657, "URL": 6244, "domain": 1672, "hostname": 2213 }, "indicator_count": 13091, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657feca7df9ea6c21350c01a", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] ", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-18T06:54:31.063000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f6b136775cbf67d25ddfb", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d8d30621e6303cad9da4", "name": "RallyPoint.com", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-19T17:54:27.416000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6b136775cbf67d25ddfb", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] Alias Brian Sabey?", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:41:39.434000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6920d79aa646c2d5db49", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:20.787000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6919cafcba3ac406d5b2", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:13.375000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f69115e6b1bdc8a7dcdbc", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:05.056000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657aaff046e2083b423a39e2", "name": "Inmortal Invoke-Mimikatz", "description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.", "modified": "2024-01-12T04:02:22.872000", "created": "2023-12-14T07:34:08.701000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 438, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1995, "hostname": 3222, "URL": 7179, "FileHash-MD5": 2749, "FileHash-SHA1": 1538, "FileHash-SHA256": 4661, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 21381, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "nr-data.net [Apple Private Data Collection]", "www.hallrender.com", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "\u2193\u2192Found in: https://house.mo.gov/\u2193", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "rp.dudaran2.com [routerlogin.net to safebae.org]", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "http://nudeteenporn.site", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "c.oooooooooo.ga (c.apple.com cdn)", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.anyxxxtube.net/media/favicon/apple", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "remote.utorrent.com [remote router logins]", "alohatube.xyz [BotNetwork]", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "apple-aqo.com (1 DNSPod.net)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "demo.auth.civicalg.com.sni.cloudflaressl.com", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "dns.trackgroup.net", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "https://www.hallrender.com/attorney/brian-sabey", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "batchpublicrecords.westlaw.com", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "happyrabbit.kr [Apple iOS threat]", "init.ess.apple.com ( Code Script \u2022 MortalK)", "www.dead-speak.com", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com", "deadlyexploits.com | deadlysymbol.com |", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "23.216.147.64", "dns.msftncsi.com", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "facebooksunglassshop.com", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "west-sca.duckdns.org", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "https://safebae.org/", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "192.124.249.53:80", "government.westlaw.com", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "http://tvm77.fashiongup.in/tracking/track-open", "9.6.zip - SQLi", "batchcourtexpressservicesqa.westlaw.com", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://poemhunter.com/tsara-brashears/", "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "www.hallrender.com (malware hosting)", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "https://hallrender.com/attorney/brian-sabey", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "us-west-2.es.amazonaws.com (pslicorp)", "www42.jhonisdead.com", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "NSO Group" ], "malware_families": [ "Behav", "Webtoolbar", "Pegasus", "Win.trojan.midia-4", "Evilnum", "Trojan:win32/tiggre", "Arid.viper_cnc", "Win32.pdf.alien", "Suppobox", "Keylogger", "Remcos rat", "Sonbokli", "Vitzo", "Chaos", "Cobalt strike", "Hacktool", "China telecom", "Lockbit", "Njrat", "Emotet", "Quasar rat", "Win32/socstealer!rfn", "Azorult", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Redirector", "Backdoor.win32.shiz.ufj", "Mirai", "Hallrender", "Asyncrat", "Ubot", "Callback phishing", "Nokoyawa ransomware", "Beach research", "Invoke-mimikatz", "Ransomexx", "Flubot", "Ransomware", "Ursnif", "Wininicrypt", "Qakbot", "Zbot", "Domains", "Trojan:win32/wacatac", "Alf:trojan:win32/formbook", "Apnic", "Wannacry", "Tulach", "Eternalblue", "Bazarcall", "Inmortal", "Amadey", "Agent tesla", "Maze", "Zeus", "Qbot", "Email-worm.win32.brontok.n", "Freemake", "Rms", "Redline", "Hsbc", "Wannacry kill switch", "Win.trojan.agent-336074", "Dark", "Parallax rat", "Uztuby", "Babar", "Maltiverse", "Pws:win32/qqpass.ci", "Trojanspy", "Djvu", "Cl0p", "Bandit stealer" ], "industries": [ "Health" ], "unique_indicators": 94896 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/oooooooooo.ga", "whois": "http://whois.domaintools.com/oooooooooo.ga", "domain": "oooooooooo.ga", "hostname": "a.oooooooooo.ga" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 29, "pulses": [ { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9e7c572b8411d126215a6", "name": "@scoreblue callback clone", "description": "", "modified": "2026-03-06T05:11:18.020000", "created": "2026-03-05T20:29:57.169000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a052c4160dbd76054f8a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3267, "domain": 1459, "hostname": 1268, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fee4dec993692315eb9e9", "name": "NjRAT | Threat Network | https://www.poemhunter.com/tsara-brashears ", "description": "", "modified": "2024-09-05T07:13:57.083000", "created": "2023-12-18T07:01:33.682000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "657fed19f6d24e751fa82de8", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2775, "URL": 7125, "domain": 1726, "hostname": 2417 }, "indicator_count": 14348, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c91f2b7c03b480379ae4d1", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender", "description": "1st time researching https://house.mo.gov/ & house.mo.gov. False arrest records of a target originated from Missouri. A glitch delete pulses & references in bulk.\nPegasus is the should be illegal. Destroying evidence of a truth that would be believed if heard. Spying for dirt to discredit. Target heavily deterred by cyber warfare, healthcare fraud, injuries, financial difficulties due to hacked away businesses, strange shadowy government abused, in person stalking, threats and physical attacks, denied disability with a spinal cord injury?\nhttps://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "modified": "2024-03-12T15:03:06.954000", "created": "2024-02-11T19:25:31.451000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 148, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1373, "FileHash-SHA1": 1174, "FileHash-SHA256": 6417, "URL": 4264, "domain": 2304, "hostname": 2413, "CVE": 4, "email": 15, "CIDR": 1 }, "indicator_count": 17965, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b9716ef65566497546a7b1", "name": "Callback Phishing Campaign | Pegasus | https://safebae.org/", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T22:00:14.725000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a05a0b9ebf8d916f0a6d", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:10.072000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a056f2c1f16d391175b0", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:06.711000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8a052c4160dbd76054f8a", "name": "Callback Phishing Campaign | Pegasus | Callback Phishing | https://safebae.org/", "description": "Multiple ransomware groups have adopted the BazarCall callback phishing technique a sophisticated scam; to gain initial access to victims' networks\nCallback phishing is a relying on a multi-stage process, exploiting trust to manipulate victims into divulging sensitive information or. At its core, callback phishing is a sophisticated social engineering tactic that triggers an emotional reaction from a victim and compels them to engage.\n\nStrange alleged tribute website appears to target Tsara Brashears. The alleged SA victims name is Catherine 'Daisy' Coleman name isn't part infrastructure. Malicious", "modified": "2024-02-29T04:00:48.424000", "created": "2024-01-30T07:08:02.918000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8c8b8997508722c642ee", "name": "Phishing Campaign | Pegasus ", "description": "", "modified": "2024-02-29T04:00:48.424000", "created": "2024-02-03T18:57:15.475000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a05a0b9ebf8d916f0a6d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3266, "domain": 1458, "hostname": 1265, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9167, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://a.oooooooooo.ga/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://a.oooooooooo.ga/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641895.3894753 }