{ "type": "URL", "indicator": "https://app.careforth.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://app.careforth.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4133310394, "indicator": "https://app.careforth.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68d0b00b7ccb342031594e77", "name": "OTX Generated with strange commentary as always", "description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |", "modified": "2025-10-22T02:00:03.967000", "created": "2025-09-22T02:10:19.819000", "tags": [ "expiration", "url http", "hall render", "possible deep", "https", "deep panda", "brian sabey", "tsara brashears", "panda", "post", "virtool", "service", "fraud", "url https", "search", "type indicator", "role title", "added active", "related pulses", "claim reversal", "view", "fieldlastname", "filehashmd5", "filehashsha1", "domain", "hostname", "virgin islands", "united", "canada", "ireland", "writeconsolea", "regsetvalueexa", "regdword", "module load", "t1129", "show", "micromedia", "write", "markus", "april", "win32", "lost", "malware", "copy", "c2 activity", "cnc ids", "beacon", "server", "domain status", "algorithm", "key identifier", "x509v3 subject", "full name", "date", "registrar abuse", "registrar", "data", "ipv4", "returnurl", "masquerade task", "t1448", "carrier billing", "fraud endpoint", "security scan", "iocs", "learn more", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "scan", "entries", "healthcare", "legal", "families", "sakurel", "formbook att", "ck ids", "t1199", "render", "brian", "sabey", "fieldssn", "elqaid16867", "elqat1", "elqcst272", "formbookatt", "white insane", "law firm", "run keys", "ta0011", "command", "control", "t1410", "redirection", "medium", "windows", "high", "yara detections", "backdoor", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2189, "FileHash-MD5": 469, "FileHash-SHA1": 447, "FileHash-SHA256": 2446, "domain": 465, "hostname": 1224, "email": 15 }, "indicator_count": 7255, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d09835fed794bdc304de40", "name": "Deep Panda | Hall Render | Brian Sabey controlled Tsara Brashears life & Healthcare", "description": "Insane. Law Firm Hall Render including attorneys allegedly named M. \u2018Brian Sabey\u2019 and \u2018Gregg Wallender\u2019 began hosting a private pay healthcare plan for Tsara Brashears under the the guise of being a Medicare United Healthcare plan from 3/2021 - 12/2024. What Fraud! Brashears became millions $ in debt. Multiple insurance companies have had to be updated only to be cancelled. She\u2019d been denied spinal stabilization surgery worsening SCI C1 - L5. I didn\u2019t expect to find this at all. When her supplies weren\u2019t paid for. Angry supplier gave information to caregiver. Since then attempts on lives. \nNone of us are safe. I wonder if this is also part of Hall Render. How is this possible?\n\nThese are very dangerous people with hitmen. \nPlease STOP!", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T00:28:37.292000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d1021acaa3ff0024effb9a", "name": "Deep Panda \u2022 Formbook - Provider Portal Account Entry \u2022 Widespread issue| Attributed to Brian Sabey of Hall Render ", "description": "", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T08:00:26.271000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": "68d09835fed794bdc304de40", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "https://hallrender.com/attorney/gregg-m-wallander/", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ," ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Formbook", "Sakurel", "Win.packed.generic-9967832-0", "Virtool:win32/obfuscator.jm", "Backdoor:win32/plugx.n!dha" ], "industries": [ "Legal", "Government", "Healthcare" ], "unique_indicators": 7502 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/careforth.com", "whois": "http://whois.domaintools.com/careforth.com", "domain": "careforth.com", "hostname": "app.careforth.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68d0b00b7ccb342031594e77", "name": "OTX Generated with strange commentary as always", "description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |", "modified": "2025-10-22T02:00:03.967000", "created": "2025-09-22T02:10:19.819000", "tags": [ "expiration", "url http", "hall render", "possible deep", "https", "deep panda", "brian sabey", "tsara brashears", "panda", "post", "virtool", "service", "fraud", "url https", "search", "type indicator", "role title", "added active", "related pulses", "claim reversal", "view", "fieldlastname", "filehashmd5", "filehashsha1", "domain", "hostname", "virgin islands", "united", "canada", "ireland", "writeconsolea", "regsetvalueexa", "regdword", "module load", "t1129", "show", "micromedia", "write", "markus", "april", "win32", "lost", "malware", "copy", "c2 activity", "cnc ids", "beacon", "server", "domain status", "algorithm", "key identifier", "x509v3 subject", "full name", "date", "registrar abuse", "registrar", "data", "ipv4", "returnurl", "masquerade task", "t1448", "carrier billing", "fraud endpoint", "security scan", "iocs", "learn more", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "scan", "entries", "healthcare", "legal", "families", "sakurel", "formbook att", "ck ids", "t1199", "render", "brian", "sabey", "fieldssn", "elqaid16867", "elqat1", "elqcst272", "formbookatt", "white insane", "law firm", "run keys", "ta0011", "command", "control", "t1410", "redirection", "medium", "windows", "high", "yara detections", "backdoor", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2189, "FileHash-MD5": 469, "FileHash-SHA1": 447, "FileHash-SHA256": 2446, "domain": 465, "hostname": 1224, "email": 15 }, "indicator_count": 7255, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d09835fed794bdc304de40", "name": "Deep Panda | Hall Render | Brian Sabey controlled Tsara Brashears life & Healthcare", "description": "Insane. Law Firm Hall Render including attorneys allegedly named M. \u2018Brian Sabey\u2019 and \u2018Gregg Wallender\u2019 began hosting a private pay healthcare plan for Tsara Brashears under the the guise of being a Medicare United Healthcare plan from 3/2021 - 12/2024. What Fraud! Brashears became millions $ in debt. Multiple insurance companies have had to be updated only to be cancelled. She\u2019d been denied spinal stabilization surgery worsening SCI C1 - L5. I didn\u2019t expect to find this at all. When her supplies weren\u2019t paid for. Angry supplier gave information to caregiver. Since then attempts on lives. \nNone of us are safe. I wonder if this is also part of Hall Render. How is this possible?\n\nThese are very dangerous people with hitmen. \nPlease STOP!", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T00:28:37.292000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d1021acaa3ff0024effb9a", "name": "Deep Panda \u2022 Formbook - Provider Portal Account Entry \u2022 Widespread issue| Attributed to Brian Sabey of Hall Render ", "description": "", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T08:00:26.271000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": "68d09835fed794bdc304de40", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://app.careforth.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://app.careforth.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776627750.744877 }