{ "type": "URL", "indicator": "https://autodiscover.avidsolutions.com.au", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://autodiscover.avidsolutions.com.au", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3870694673, "indicator": "https://autodiscover.avidsolutions.com.au", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "68d0b00b7ccb342031594e77", "name": "OTX Generated with strange commentary as always", "description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |", "modified": "2025-10-22T02:00:03.967000", "created": "2025-09-22T02:10:19.819000", "tags": [ "expiration", "url http", "hall render", "possible deep", "https", "deep panda", "brian sabey", "tsara brashears", "panda", "post", "virtool", "service", "fraud", "url https", "search", "type indicator", "role title", "added active", "related pulses", "claim reversal", "view", "fieldlastname", "filehashmd5", "filehashsha1", "domain", "hostname", "virgin islands", "united", "canada", "ireland", "writeconsolea", "regsetvalueexa", "regdword", "module load", "t1129", "show", "micromedia", "write", "markus", "april", "win32", "lost", "malware", "copy", "c2 activity", "cnc ids", "beacon", "server", "domain status", "algorithm", "key identifier", "x509v3 subject", "full name", "date", "registrar abuse", "registrar", "data", "ipv4", "returnurl", "masquerade task", "t1448", "carrier billing", "fraud endpoint", "security scan", "iocs", "learn more", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "scan", "entries", "healthcare", "legal", "families", "sakurel", "formbook att", "ck ids", "t1199", "render", "brian", "sabey", "fieldssn", "elqaid16867", "elqat1", "elqcst272", "formbookatt", "white insane", "law firm", "run keys", "ta0011", "command", "control", "t1410", "redirection", "medium", "windows", "high", "yara detections", "backdoor", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2189, "FileHash-MD5": 469, "FileHash-SHA1": 447, "FileHash-SHA256": 2446, "domain": 465, "hostname": 1224, "email": 15 }, "indicator_count": 7255, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d09835fed794bdc304de40", "name": "Deep Panda | Hall Render | Brian Sabey controlled Tsara Brashears life & Healthcare", "description": "Insane. Law Firm Hall Render including attorneys allegedly named M. \u2018Brian Sabey\u2019 and \u2018Gregg Wallender\u2019 began hosting a private pay healthcare plan for Tsara Brashears under the the guise of being a Medicare United Healthcare plan from 3/2021 - 12/2024. What Fraud! Brashears became millions $ in debt. Multiple insurance companies have had to be updated only to be cancelled. She\u2019d been denied spinal stabilization surgery worsening SCI C1 - L5. I didn\u2019t expect to find this at all. When her supplies weren\u2019t paid for. Angry supplier gave information to caregiver. Since then attempts on lives. \nNone of us are safe. I wonder if this is also part of Hall Render. How is this possible?\n\nThese are very dangerous people with hitmen. \nPlease STOP!", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T00:28:37.292000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d1021acaa3ff0024effb9a", "name": "Deep Panda \u2022 Formbook - Provider Portal Account Entry \u2022 Widespread issue| Attributed to Brian Sabey of Hall Render ", "description": "", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T08:00:26.271000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": "68d09835fed794bdc304de40", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689030129ed94e6805755c52", "name": "iimcb.e-kei.pl iimcb.gov.pl ip4 94.152.54.231 (94.152.0.0/16) ???", "description": "https://www.virustotal.com/gui/domain/iimcb.e-kei.pl/details\nhttps://www.virustotal.com/gui/domain/iimcb.gov.pl/details\nhttps://www.virustotal.com/gui/ip-address/94.152.54.231/details", "modified": "2025-09-03T03:00:19.806000", "created": "2025-08-04T03:59:14.325000", "tags": [], "references": [ "iimcb.e-kei.pl", "iimcb.e.gov.pl", "iimcb.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 249, "FileHash-MD5": 2, "FileHash-SHA1": 26, "FileHash-SHA256": 49, "hostname": 961, "URL": 2001, "CVE": 1 }, "indicator_count": 3289, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66577ac0e1788e544c312e3f", "name": "Backdoor:MSIL/Noancooe.A | Network sniffing Lime bandit", "description": "Backdoor:MSIL/Noancooe.A: Backdoor arrives on a system as a file dropped by other malware or as a file downloaded giving malicious hackers unauthorized access and control of your PC.", "modified": "2024-06-28T18:00:33.800000", "created": "2024-05-29T18:58:08.465000", "tags": [ "algorithm", "full name", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "date", "code", "first", "server", "privacy notice", "aaaa", "google", "july", "xcitium verdict", "record type", "ttl value", "data", "name verdict", "falcon sandbox", "jpeg image", "jfif standard", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "ck matrix", "united", "et tor", "path", "mask", "hybrid", "generator", "local", "click", "strings", "union", "#metoo", "russell mcveagh", "grope", "moved", "civicaig", "now hiring", "apple", "unknown", "a domains", "passive dns", "urls", "creation date", "status", "search", "expiration date", "hong kong", "as133775 xiamen", "germany unknown", "scan endpoints", "all scoreblue", "body", "next", "hacking", "critical", "jailbreak", "m", "tech", "hit", "men", "sreredrum", "lime", "as24940 hetzner", "cname", "germany", "as16276", "domain", "spain unknown", "as31898 oracle", "as396982 google", "as5617 orange", "poland unknown", "as8881", "as19905", "msil", "kiwis", "sabey data centers", "nemtih", "attack tsara brashears", "t phone", "t mail", "t", "lakewood", "arvada", "jeff reimer dpt", "jeffrey scott", "lakeside", "grey st", "capture", "aquire", "aig", "sammie", "smith", "johnson", "xfinity", "whisper", "sky", "cybercrime", "true", "cyprus", "attack path", "pattern match" ], "references": [ "www.russellmcveagh.com - Law Firm (front?) Document Moved", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "This area is swarming with PI's (his , hers and theirs)", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Crime scene unit vans from different county.", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "http://droid--apk-ru.webpkgcache.com/", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "appleread.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:MSIL/Noancooe.A", "display_name": "Backdoor:MSIL/Noancooe.A", "target": "/malware/Backdoor:MSIL/Noancooe.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 695, "URL": 1111, "FileHash-MD5": 7, "FileHash-SHA1": 17, "FileHash-SHA256": 230, "domain": 643, "email": 9, "SSLCertFingerprint": 6 }, "indicator_count": 2718, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "Crime scene unit vans from different county.", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "www.russellmcveagh.com - Law Firm (front?) Document Moved", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "http://droid--apk-ru.webpkgcache.com/", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "iimcb.e.gov.pl", "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "This area is swarming with PI's (his , hers and theirs)", "appleread.net", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "iimcb.gov.pl", "https://hallrender.com/attorney/gregg-m-wallander/", "iimcb.e-kei.pl", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Backdoor:win32/plugx.n!dha", "Formbook", "Sakurel", "Backdoor:msil/noancooe.a", "Virtool:win32/obfuscator.jm", "Win.packed.generic-9967832-0" ], "industries": [ "Healthcare", "Government", "Legal", "Civil society", "Technology", "Telecommunications" ], "unique_indicators": 27812 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/avidsolutions.com.au", "whois": "http://whois.domaintools.com/avidsolutions.com.au", "domain": "avidsolutions.com.au", "hostname": "autodiscover.avidsolutions.com.au" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "68d0b00b7ccb342031594e77", "name": "OTX Generated with strange commentary as always", "description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |", "modified": "2025-10-22T02:00:03.967000", "created": "2025-09-22T02:10:19.819000", "tags": [ "expiration", "url http", "hall render", "possible deep", "https", "deep panda", "brian sabey", "tsara brashears", "panda", "post", "virtool", "service", "fraud", "url https", "search", "type indicator", "role title", "added active", "related pulses", "claim reversal", "view", "fieldlastname", "filehashmd5", "filehashsha1", "domain", "hostname", "virgin islands", "united", "canada", "ireland", "writeconsolea", "regsetvalueexa", "regdword", "module load", "t1129", "show", "micromedia", "write", "markus", "april", "win32", "lost", "malware", "copy", "c2 activity", "cnc ids", "beacon", "server", "domain status", "algorithm", "key identifier", "x509v3 subject", "full name", "date", "registrar abuse", "registrar", "data", "ipv4", "returnurl", "masquerade task", "t1448", "carrier billing", "fraud endpoint", "security scan", "iocs", "learn more", "relationship", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "t1060", "scan", "entries", "healthcare", "legal", "families", "sakurel", "formbook att", "ck ids", "t1199", "render", "brian", "sabey", "fieldssn", "elqaid16867", "elqat1", "elqcst272", "formbookatt", "white insane", "law firm", "run keys", "ta0011", "command", "control", "t1410", "redirection", "medium", "windows", "high", "yara detections", "backdoor", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2189, "FileHash-MD5": 469, "FileHash-SHA1": 447, "FileHash-SHA256": 2446, "domain": 465, "hostname": 1224, "email": 15 }, "indicator_count": 7255, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d09835fed794bdc304de40", "name": "Deep Panda | Hall Render | Brian Sabey controlled Tsara Brashears life & Healthcare", "description": "Insane. Law Firm Hall Render including attorneys allegedly named M. \u2018Brian Sabey\u2019 and \u2018Gregg Wallender\u2019 began hosting a private pay healthcare plan for Tsara Brashears under the the guise of being a Medicare United Healthcare plan from 3/2021 - 12/2024. What Fraud! Brashears became millions $ in debt. Multiple insurance companies have had to be updated only to be cancelled. She\u2019d been denied spinal stabilization surgery worsening SCI C1 - L5. I didn\u2019t expect to find this at all. When her supplies weren\u2019t paid for. Angry supplier gave information to caregiver. Since then attempts on lives. \nNone of us are safe. I wonder if this is also part of Hall Render. How is this possible?\n\nThese are very dangerous people with hitmen. \nPlease STOP!", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T00:28:37.292000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d1021acaa3ff0024effb9a", "name": "Deep Panda \u2022 Formbook - Provider Portal Account Entry \u2022 Widespread issue| Attributed to Brian Sabey of Hall Render ", "description": "", "modified": "2025-10-21T23:02:21.484000", "created": "2025-09-22T08:00:26.271000", "tags": [ "expiration", "related pulses", "language", "html document", "ascii text", "crlf line", "doctype", "portal", "enter", "tax id", "provider portal", "home", "iis windows", "provider web", "portal account", "please", "status", "server", "domain status", "registrar abuse", "registrar", "dnssec", "us registrant", "email", "contact email", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "se review", "exclude data", "extraction", "search otx", "data upload", "enter source", "url or", "texurag", "value a", "se source", "extra", "referen data", "ica7nvfarux", "include review", "failed", "sc data", "type", "extra data", "referen", "hcpruxi include", "review exclude", "sugges", "exclude", "find s", "typ url", "hos hos", "domain hos", "hast", "referen hcpruxi", "include", "cus cndigicert", "sha256", "ca1 odigicert", "inc validity", "ogainwell", "subject public", "key info", "available from", "code", "registry tech", "admin country", "gb registrant", "organization", "registry domain", "tech email", "iocs", "name servers", "emails", "search", "certificate", "passive dns", "urls", "domain", "record value", "body", "united", "present jul", "present jun", "moved", "ip address", "entries", "unknown cname", "present may", "title", "name", "hostname add", "writeconsolea", "regsetvalueexa", "regdword", "show", "deep panda", "module load", "t1129", "post", "write", "markus", "april", "win32", "lost", "malware", "backdoor", "present dec", "virgin islands", "trojan", "present feb", "present jan", "error", "avast avg", "possible deep", "ipv4 add", "pulse pulses", "files", "hosting", "location virgin", "islands", "twitter", "panda", "associated urls", "date checked", "url hostname", "server response", "read c", "formbook cnc", "checkin", "medium", "yara detections", "delete", "ids detections", "pulse", "srs ab", "showing", "uregistruotas", "date", "pulses", "unknown ns", "xloader" ], "references": [ "/hcp/ruxitagentjs_ICA7NVfqrux_10321250808084810.js", "IDS Detections: Possible DEEP PANDA C2 Activity Possible Deep Panda - Sakula/Mivast RAT CnC", "IDS: Beacon 5 Sakula/Mivast C2 Activity HTTP traffic on port 443 (POST)", "Yara Detections: RAT_Sakula , ScanBox_Malware_Generic , Nrv2x , UPX_OEP_place , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara: kernel32_dll_xor_exe_key_11 , xor_0xb_kernel32_dll", "Alerts: network_icmp persistence_autorun modifies_proxy_wpad packer_polymorphic", "IDS: FormBook CnC Checkin (POST) Terse HTTP 1.0 Request Possible Nivdort Beacon 5 Possible DEEP PANDA C2 Activity (208.91.197.27)", "IDS: Possible HTTP 403 XSS Attempt (Local Source) Possible Deep Panda - Sakula/Mivast RAT CnC (208.91.197.27)", "Craziest thing ever! Hall Render \u2018alleged\u2019 Law Firm was paying Tara Brasheats insurance?!", "Insane! They 1st kicked her of her Private pay United Healthcare. Put her off of Medicare. Won\u2019t pay!", "http://2fwww.hallrender.com/ \u2022 http://citrix.hallrender.com/ \u2022 http://dev.hallrender.com/ http://hallrender.com/attorney/brian-sabey/ No Expiration\t0\t URL http://hallrender.com/resource-blog No Expiration\t0\t URL http://hallrender.com/resources No Expiration\t0\t URL http://mail.hallrender.com/ No Expiration\t0\t URL http://www.hallrender.com/attorney/brian-sabey", "autodiscover.hallrender.com \u2022 hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "image.marketing.hallrender.com \u2022 https://hallrender.com/resources \u2022", "https://hallrender.com/resources/blog/ \u2022 https://www.hallrender.com/attorn", "www.podcast.hallrender.com \u2022 https://hallrender.com/resource-blog \u2022", "https://hallrender.com/attorney/gregg-m-wallander/", "https://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/ \u2022 https://hallrender.com/resources/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Win32/Plugx.N!dha", "display_name": "Backdoor:Win32/Plugx.N!dha", "target": "/malware/Backdoor:Win32/Plugx.N!dha" }, { "id": "Sakurel", "display_name": "Sakurel", "target": null }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Formbook", "display_name": "Formbook", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare", "Legal", "Government" ], "TLP": "white", "cloned_from": "68d09835fed794bdc304de40", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1886, "domain": 378, "hostname": 882, "FileHash-MD5": 173, "FileHash-SHA1": 172, "FileHash-SHA256": 1038, "email": 9 }, "indicator_count": 4538, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689030129ed94e6805755c52", "name": "iimcb.e-kei.pl iimcb.gov.pl ip4 94.152.54.231 (94.152.0.0/16) ???", "description": "https://www.virustotal.com/gui/domain/iimcb.e-kei.pl/details\nhttps://www.virustotal.com/gui/domain/iimcb.gov.pl/details\nhttps://www.virustotal.com/gui/ip-address/94.152.54.231/details", "modified": "2025-09-03T03:00:19.806000", "created": "2025-08-04T03:59:14.325000", "tags": [], "references": [ "iimcb.e-kei.pl", "iimcb.e.gov.pl", "iimcb.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 249, "FileHash-MD5": 2, "FileHash-SHA1": 26, "FileHash-SHA256": 49, "hostname": 961, "URL": 2001, "CVE": 1 }, "indicator_count": 3289, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66577ac0e1788e544c312e3f", "name": "Backdoor:MSIL/Noancooe.A | Network sniffing Lime bandit", "description": "Backdoor:MSIL/Noancooe.A: Backdoor arrives on a system as a file dropped by other malware or as a file downloaded giving malicious hackers unauthorized access and control of your PC.", "modified": "2024-06-28T18:00:33.800000", "created": "2024-05-29T18:58:08.465000", "tags": [ "algorithm", "full name", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "date", "code", "first", "server", "privacy notice", "aaaa", "google", "july", "xcitium verdict", "record type", "ttl value", "data", "name verdict", "falcon sandbox", "jpeg image", "jfif standard", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "ck matrix", "united", "et tor", "path", "mask", "hybrid", "generator", "local", "click", "strings", "union", "#metoo", "russell mcveagh", "grope", "moved", "civicaig", "now hiring", "apple", "unknown", "a domains", "passive dns", "urls", "creation date", "status", "search", "expiration date", "hong kong", "as133775 xiamen", "germany unknown", "scan endpoints", "all scoreblue", "body", "next", "hacking", "critical", "jailbreak", "m", "tech", "hit", "men", "sreredrum", "lime", "as24940 hetzner", "cname", "germany", "as16276", "domain", "spain unknown", "as31898 oracle", "as396982 google", "as5617 orange", "poland unknown", "as8881", "as19905", "msil", "kiwis", "sabey data centers", "nemtih", "attack tsara brashears", "t phone", "t mail", "t", "lakewood", "arvada", "jeff reimer dpt", "jeffrey scott", "lakeside", "grey st", "capture", "aquire", "aig", "sammie", "smith", "johnson", "xfinity", "whisper", "sky", "cybercrime", "true", "cyprus", "attack path", "pattern match" ], "references": [ "www.russellmcveagh.com - Law Firm (front?) Document Moved", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "This area is swarming with PI's (his , hers and theirs)", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Crime scene unit vans from different county.", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "http://droid--apk-ru.webpkgcache.com/", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "appleread.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:MSIL/Noancooe.A", "display_name": "Backdoor:MSIL/Noancooe.A", "target": "/malware/Backdoor:MSIL/Noancooe.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 695, "URL": 1111, "FileHash-MD5": 7, "FileHash-SHA1": 17, "FileHash-SHA256": 230, "domain": 643, "email": 9, "SSLCertFingerprint": 6 }, "indicator_count": 2718, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://autodiscover.avidsolutions.com.au", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://autodiscover.avidsolutions.com.au", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642608.163307 }