{ "type": "URL", "indicator": "https://safebae.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://safebae.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3806059047, "indicator": "https://safebae.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657aaff046e2083b423a39e2", "name": "Inmortal Invoke-Mimikatz", "description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.", "modified": "2024-01-12T04:02:22.872000", "created": "2023-12-14T07:34:08.701000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 438, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1995, "hostname": 3222, "URL": 7179, "FileHash-MD5": 2749, "FileHash-SHA1": 1538, "FileHash-SHA256": 4661, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 21381, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "https://www.hallrender.com/attorney/brian-sabey", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "https://poemhunter.com/tsara-brashears/", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "demo.auth.civicalg.com.sni.cloudflaressl.com", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "government.westlaw.com", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "rp.dudaran2.com [routerlogin.net to safebae.org]", "www.hallrender.com (malware hosting)", "happyrabbit.kr [Apple iOS threat]", "www.dead-speak.com", "us-west-2.es.amazonaws.com (pslicorp)", "init.ess.apple.com ( Code Script \u2022 MortalK)", "fakecelebporno.com", "https://www.anyxxxtube.net/media/favicon/apple", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "batchcourtexpressservicesqa.westlaw.com", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "\u2193\u2192Found in: https://house.mo.gov/\u2193", "www42.jhonisdead.com", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "http://nudeteenporn.site", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "batchpublicrecords.westlaw.com", "192.124.249.53:80", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "https://hallrender.com/attorney/brian-sabey", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "west-sca.duckdns.org", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "apple-aqo.com (1 DNSPod.net)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor" ], "malware_families": [ "Beach research", "Bandit stealer", "Hacktool", "Trojan:win32/tiggre", "Agent tesla", "Njrat", "Suppobox", "China telecom", "Freemake", "Flubot", "Ubot", "Wannacry kill switch", "Maze", "Dark", "Invoke-mimikatz", "Hsbc", "Hallrender", "Azorult", "Zeus", "Redirector", "Maltiverse", "Babar", "Webtoolbar", "Tulach", "Redline", "Domains", "Win32.pdf.alien", "Cl0p", "Emotet", "Qbot", "Behav", "Trojan:win32/wacatac", "Ursnif", "Nokoyawa ransomware", "Qakbot", "Djvu", "Vitzo", "Sonbokli", "Uztuby", "Mirai", "Apnic", "Zbot", "Alf:trojan:win32/formbook", "Trojanspy", "Rms", "Inmortal" ], "industries": [ "Health" ], "unique_indicators": 64134 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/safebae.org", "whois": "http://whois.domaintools.com/safebae.org", "domain": "safebae.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://safebae.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://safebae.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776636897.446321 }