{ "type": "URL", "indicator": "https://ssl424011.cloudflaressl.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ssl424011.cloudflaressl.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3786137241, "indicator": "https://ssl424011.cloudflaressl.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 39, "pulses": [ { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fee4dec993692315eb9e9", "name": "NjRAT | Threat Network | https://www.poemhunter.com/tsara-brashears ", "description": "", "modified": "2024-09-05T07:13:57.083000", "created": "2023-12-18T07:01:33.682000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "657fed19f6d24e751fa82de8", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2775, "URL": 7125, "domain": 1726, "hostname": 2417 }, "indicator_count": 14348, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "674 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eb9b25110526c6b2a0ada5", "name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff", "description": "", "modified": "2024-03-08T23:11:33.426000", "created": "2024-03-08T23:11:33.426000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65a342310ab3d2c69778d608", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "772 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eb98d47b74b50cf8ce6797", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-03-08T23:01:40.129000", "created": "2024-03-08T23:01:40.129000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65acace20c18a7d6c5da2e27", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "772 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e576b3cbdf2f86a32acc", "name": "Skynet | prd.connectforhealthco.com | Identity theft |", "description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++", "modified": "2024-02-16T13:04:46.804000", "created": "2024-01-17T14:34:30.204000", "tags": [ "whois record", "historical ssl", "ssl certificate", "april", "referrer", "threat roundup", "communicating", "whois", "rwi dtools", "jekyll", "metro", "skynet", "identity theft", "parking crew", "whois whois", "resolutions", "october", "august", "march", "june", "attack", "goldfinder", "sibot", "hacktool", "remote attack", "social engineering", "read c", "get autoit", "search", "regsetvalueexa", "show", "entries", "regdword", "intel", "ms windows", "showing", "autoit", "write", "worm", "copy", "unknown", "win32", "persistence", "execution", "malware", "autorun", "redacted for", "for privacy", "name servers", "date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "encrypt", "next", "sabey", "no expiration", "filehashsha256", "filehashsha1", "filehashmd5", "iocs", "create new", "pulse use", "pdf report", "pcap", "malware beacon", "useragent", "http request", "hostile", "autoit windows", "automation tool", "forbidden", "algorithm", "full name", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "detections type", "name", "javascript", "pdf community", "office open", "xml spreadsheet", "text", "siblings", "process32nextw", "fjlsedauv", "writeconsolea", "medium", "discovery", "high", "module load", "t1129", "united", "as63949 linode", "mtb jan", "passive dns", "backdoor", "mtb dec", "open", "body", "artro", "creation date", "servers", "urls", "record value", "expiration date", "vt graph", "parent referrer", "apple private", "data collection", "hidden privacy", "malicious", "verified", "utc submissions", "submitters", "summary iocs", "graph community", "tucows", "amazonaes", "china telecom", "group", "cloudflarenet", "akamaias", "pty ltd", "argon data", "communication", "limited", "digitaloceanasn", "twitter", "dropbox", "domainsite", "alibaba cloud", "computing", "beijing", "service", "ip address", "latest", "virustotal", "unclejohn", "us autonomous", "system46606", "unified layer", "urls latest", "contacted", "historical", "subdomains", "gootloader", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "binary", "sameorigin", "scammer", "spammer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Sibot - S0589", "display_name": "Sibot - S0589", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "target": null }, { "id": "W32/Expiro.fam", "display_name": "W32/Expiro.fam", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" } ], "industries": [ "Healthcare", "Insurance", "Finance", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 515, "FileHash-SHA1": 504, "FileHash-SHA256": 3557, "URL": 5450, "domain": 1842, "hostname": 2221, "CVE": 2, "email": 6 }, "indicator_count": 14097, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afc9cf333bbda03a18e03c", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-23T14:14:39.725000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65acace20c18a7d6c5da2e27", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65acace20c18a7d6c5da2e27", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-21T05:34:26.800000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65a342310ab3d2c69778d608", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a342310ab3d2c69778d608", "name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff", "description": "Remotely accessed device. Alleges Relationship to OTX? What I know is what I've read. Michael Roberts of Rexxfield supposedly assists, attorneys, law enforcement & helps doctors cover their crimes, injects malicious code, honeypots the web, terrorizing SA victims/allegers. Roberts is allegedly a hacker mastermind who shows his face or one of the many profiles of a hacker group targeting Tsara Brashears and https://SafeBae.org. Brashears is linked in malicious websites, Roberts suspect with ex-wife Tracey Richter alleged murderer. This is all crazy, still; Brashears is a real person in danger. I don't get it. I'm stupid", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-14T02:08:49.638000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48ab7cd0bd218b17ccf6c", "name": "Botnet Command and Control Server | Malware", "description": "", "modified": "2024-02-06T20:02:52.205000", "created": "2024-01-15T01:30:31.655000", "tags": [ "passive dns", "urls", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "status code", "body", "httponly", "ssl certificate", "historical ssl", "whois record", "parent referrer", "whois whois", "communicating", "contacted", "contacted urls", "bundled", "pe resource", "dropped", "army", "machinename", "execution", "referrer", "malware distribution site", "phishing dropbox", "evasive", "banker", "dde", "dridex", "exploit", "dyre", "dyreza", "ransomware", "mydoom", "backdoor", "svg", "phising", "locky", "e-mail provider phishing", "spear phishing", "retefe", "defacement", "phishing development bank of singapore", "banjori", "suppobox", "zeus", "pony", "solar", "ransomware locky distribution site", "nymaim", "shade", "troldesh", "tvrat", "zbot", "elocky", "wisdomeyes", "kryptic", "sinkhole", "exploit", "worm", "backdoor", "injector", "botnet command and control server", "unknown", "domain", "creation date", "search", "date", "hostname", "next", "all search", "otx octoseek", "united", "as13335", "ipv4", "pulse submit", "url analysis", "iocs", "ioc search", "new ioc", "teams api", "contact", "files", "nxdomain", "win32", "meta", "wabot", "gmt contenttype", "dnssec", "name", "win32 exe", "detections file", "file size", "kb file", "domains", "registrar", "markmonitor inc", "status", "susp", "expiration date", "name servers", "domain related", "entries", "johnnsabey", "m. brian sabey", "mark sabey", "sabey data center", "utah", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "problems", "alienvault part", "kgs0", "kls0", "schema abuse", "sneaky server", "iframe", "apple", "data collection" ], "references": [ "http://security.didici.cc/cve" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "virus.virlock/nabucur", "display_name": "virus.virlock/nabucur", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null }, { "id": "Banjori", "display_name": "Banjori", "target": null }, { "id": "Trojan.AvsEtecer", "display_name": "Trojan.AvsEtecer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "TV RAT", "display_name": "TV RAT", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Dyre", "display_name": "Dyre", "target": null }, { "id": "ELocky", "display_name": "ELocky", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Locky (Decryptor)", "display_name": "Locky (Decryptor)", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Gen:Variant.Strictor", "display_name": "Gen:Variant.Strictor", "target": null }, { "id": "Adware.BrowseFox", "display_name": "Adware.BrowseFox", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "MSIL_Kryptik.P.gen", "display_name": "MSIL_Kryptik.P.gen", "target": null }, { "id": "pykspa_v2_fake", "display_name": "pykspa_v2_fake", "target": null }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "TEL:Exploit:Win32/Sinkers", "display_name": "TEL:Exploit:Win32/Sinkers", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": "659b0fd1ac7cb4d83834db1f", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA256": 3121, "URL": 4225, "domain": 1725, "hostname": 1416, "FileHash-SHA1": 225, "CVE": 2, "email": 3 }, "indicator_count": 10948, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b0fd1ac7cb4d83834db1f", "name": "Botnet Command and Control Server | Malware Distribution Site", "description": "", "modified": "2024-02-06T20:02:52.205000", "created": "2024-01-07T20:55:45.006000", "tags": [ "passive dns", "urls", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "status code", "body", "httponly", "ssl certificate", "historical ssl", "whois record", "parent referrer", "whois whois", "communicating", "contacted", "contacted urls", "bundled", "pe resource", "dropped", "army", "machinename", "execution", "referrer", "malware distribution site", "phishing dropbox", "evasive", "banker", "dde", "dridex", "exploit", "dyre", "dyreza", "ransomware", "mydoom", "backdoor", "svg", "phising", "locky", "e-mail provider phishing", "spear phishing", "retefe", "defacement", "phishing development bank of singapore", "banjori", "suppobox", "zeus", "pony", "solar", "ransomware locky distribution site", "nymaim", "shade", "troldesh", "tvrat", "zbot", "elocky", "wisdomeyes", "kryptic", "sinkhole", "exploit", "worm", "backdoor", "injector", "botnet command and control server", "unknown", "domain", "creation date", "search", "date", "hostname", "next", "all search", "otx octoseek", "united", "as13335", "ipv4", "pulse submit", "url analysis", "iocs", "ioc search", "new ioc", "teams api", "contact", "files", "nxdomain", "win32", "meta", "wabot", "gmt contenttype", "dnssec", "name", "win32 exe", "detections file", "file size", "kb file", "domains", "registrar", "markmonitor inc", "status", "susp", "expiration date", "name servers", "domain related", "entries", "johnnsabey", "m. brian sabey", "mark sabey", "sabey data center", "utah", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "problems", "alienvault part", "kgs0", "kls0", "schema abuse", "sneaky server", "iframe", "apple", "data collection" ], "references": [ "http://security.didici.cc/cve" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "virus.virlock/nabucur", "display_name": "virus.virlock/nabucur", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null }, { "id": "Banjori", "display_name": "Banjori", "target": null }, { "id": "Trojan.AvsEtecer", "display_name": "Trojan.AvsEtecer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "TV RAT", "display_name": "TV RAT", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Dyre", "display_name": "Dyre", "target": null }, { "id": "ELocky", "display_name": "ELocky", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Locky (Decryptor)", "display_name": "Locky (Decryptor)", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Gen:Variant.Strictor", "display_name": "Gen:Variant.Strictor", "target": null }, { "id": "Adware.BrowseFox", "display_name": "Adware.BrowseFox", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "MSIL_Kryptik.P.gen", "display_name": "MSIL_Kryptik.P.gen", "target": null }, { "id": "pykspa_v2_fake", "display_name": "pykspa_v2_fake", "target": null }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "TEL:Exploit:Win32/Sinkers", "display_name": "TEL:Exploit:Win32/Sinkers", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA256": 3121, "URL": 4225, "domain": 1725, "hostname": 1416, "FileHash-SHA1": 225, "CVE": 2, "email": 3 }, "indicator_count": 10948, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ab33e614882a4a7451ca8", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:46.936000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ab3389d6c91dc01801fe5", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:40.610000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d83e20634ac0d58ceca9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:58.995000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6580d422fb57aab8e21c1f39", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password", "description": "Deeply hidden inRallypoint.com. \nWitchetty cyber espionage: Witchetty's activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload.\n\nBlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and \nDalbit APT Group targets vulnerable servers to breach information including internal data from companies or encrypts files may demand money.", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-18T23:22:10.482000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d83bfd115be1f92d75a9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:55.338000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fbac9a03d611624985685", "name": "Lazarus Matrix | https://www.poemhunter.com/tsara-brashears", "description": "Search content targeting American independent artist & publisher; Tsara Brashears. was prominently malvertized before being blacklisted for malicious content. Miscellaneous network, libel, tagging, adult content, social engineering, fine deletion , multiple bot networks. Virus network smear campaign launched by Brian Sabey of Hall Render includes; safebae.org, rallypoit.com, Westlaw.com, \n www.poemhunter.com, pornhub.sev. apple.com, nr- data.com, cia.gov+ \n tracking, hacking monitoring, modifying. banking, ddos, ransomware, webcam, medical records, email threats, attempts. Active 'SA' silencecing campaign. Target & associated in danger. \n \nCritical threat to public. Compromised business with more than 2+ million downloads. Downloads amended by hackers, audience deleted.", "modified": "2024-01-17T01:04:01.912000", "created": "2023-12-18T03:21:45.890000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2657, "URL": 6244, "domain": 1672, "hostname": 2213 }, "indicator_count": 13091, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fbac7f0d96f1ad5d90ccb", "name": "Lazarus Matrix | https://www.poemhunter.com/tsara-brashears", "description": "Search content targeting American independent artist & publisher; Tsara Brashears. was prominently malvertized before being blacklisted for malicious content. Miscellaneous network, libel, tagging, adult content, social engineering, fine deletion , multiple bot networks. Virus network smear campaign launched by Brian Sabey of Hall Render includes; safebae.org, rallypoit.com, Westlaw.com, \n www.poemhunter.com, pornhub.sev. apple.com, nr- data.com, cia.gov+ \n tracking, hacking monitoring, modifying. banking, ddos, ransomware, webcam, medical records, email threats, attempts. Active 'SA' silencecing campaign. Target & associated in danger. \n \nCritical threat to public. Compromised business with more than 2+ million downloads. Downloads amended by hackers, audience deleted.", "modified": "2024-01-17T01:04:01.912000", "created": "2023-12-18T03:21:43.483000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2657, "URL": 6244, "domain": 1672, "hostname": 2213 }, "indicator_count": 13091, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fed19f6d24e751fa82de8", "name": "Lazarus Hosts | https://www.poemhunter.com/tsara-brashears", "description": "", "modified": "2024-01-17T01:04:01.912000", "created": "2023-12-18T06:56:25.399000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "657fbac9a03d611624985685", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2657, "URL": 6244, "domain": 1672, "hostname": 2213 }, "indicator_count": 13091, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657aaff046e2083b423a39e2", "name": "Inmortal Invoke-Mimikatz", "description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.", "modified": "2024-01-12T04:02:22.872000", "created": "2023-12-14T07:34:08.701000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 438, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1995, "hostname": 3222, "URL": 7179, "FileHash-MD5": 2749, "FileHash-SHA1": 1538, "FileHash-SHA256": 4661, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 21381, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "829 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6563ca952c89a2affe9e732e", "name": "http://hdtvlive.xyz/mobile.apk", "description": "", "modified": "2023-12-26T22:03:15.079000", "created": "2023-11-26T22:45:41.590000", "tags": [ "whois record", "whois whois", "ssl certificate", "deepscan", "sodinokibi", "tag count", "jul jan", "tue feb", "threat report", "ip summary", "url summary", "summary", "sample", "first", "detection list", "blacklist http", "cisco umbrella", "site", "alexa top", "million", "safe site", "alexa", "cve20188453", "malware site", "malware", "malicious site", "artemis", "unsafe", "cnc server", "tracker", "cnc feodo", "cyber threat", "threats et", "united", "cronup threat", "emotet ip", "blocklist", "et cnc", "phishing", "emotet", "zbot", "bank", "malicious", "facebook", "feodo", "virustotal", "dropper", "team", "suppobox", "ransomware", "ramnit", "recent emotet", "pattern match", "root ca", "done adding", "catalog file", "file", "ascii text", "authority", "appdata", "class", "date", "unknown", "generator", "error", "hybrid", "accept", "general", "local", "twitter", "click", "strings", "critical", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Italy", "Ireland" ], "malware_families": [ { "id": "Recent Emotet", "display_name": "Recent Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 275, "FileHash-SHA256": 2482, "domain": 1757, "hostname": 1234, "URL": 4946, "CVE": 4 }, "indicator_count": 11221, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6563ca913b90e747f45027c3", "name": "http://hdtvlive.xyz/mobile.apk", "description": "", "modified": "2023-12-26T22:03:15.079000", "created": "2023-11-26T22:45:37.305000", "tags": [ "whois record", "whois whois", "ssl certificate", "deepscan", "sodinokibi", "tag count", "jul jan", "tue feb", "threat report", "ip summary", "url summary", "summary", "sample", "first", "detection list", "blacklist http", "cisco umbrella", "site", "alexa top", "million", "safe site", "alexa", "cve20188453", "malware site", "malware", "malicious site", "artemis", "unsafe", "cnc server", "tracker", "cnc feodo", "cyber threat", "threats et", "united", "cronup threat", "emotet ip", "blocklist", "et cnc", "phishing", "emotet", "zbot", "bank", "malicious", "facebook", "feodo", "virustotal", "dropper", "team", "suppobox", "ransomware", "ramnit", "recent emotet", "pattern match", "root ca", "done adding", "catalog file", "file", "ascii text", "authority", "appdata", "class", "date", "unknown", "generator", "error", "hybrid", "accept", "general", "local", "twitter", "click", "strings", "critical", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Italy", "Ireland" ], "malware_families": [ { "id": "Recent Emotet", "display_name": "Recent Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 275, "FileHash-SHA256": 2482, "domain": 1757, "hostname": 1234, "URL": 4946, "CVE": 4 }, "indicator_count": 11221, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "photos.theleders.family", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "a.nel.cloudflare.com / api.w.org", "vtbehaviour.commondatastorage.googleapis.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "batchcourtexpressservicesqa.westlaw.com", "init.ess.apple.com ( Code Script \u2022 MortalK)", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "location-icloud.com", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "us-west-2.es.amazonaws.com (pslicorp)", "94.130.71.173 [scanning host]", "www.dead-speak.com", "beacons.bcp.gvt.com", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "cpcontacts.webcamara.online", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "government.westlaw.com", "www42.jhonisdead.com", "emails.redvue.com (apple DNS w/amvima)", "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "103.233.208.9 (CNC IP)", "http://security.didici.cc/cve", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "freeimdatingsites.thomasdobo.eu", "https://pin.it/ [faux Pinterest for TB]", "143.244.50.213 |169.150.249.162 [malware_hosting]", "https://www.hallrender.com/attorney/brian-sabey", "api.telegram.org", "http://ti.hicloudcam.com", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "Michael Roberts - murder suspect, victim, hacker, PI", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "https://www.sweetheartvideo.com/tsara-brashears/", "Worm:Win32/Benjamin", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "screencasts.rexxfield.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://alohatube.xyz/search/tsara-brashears", "applemusic-spotlight.myunidays.com", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "discord.com", "api.anonfiles.com", "https://www.myminiweb.com/", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "api.useragentswitch.com", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "nr-data.net", "batchpublicrecords.westlaw.com", "https://www.google.com/?authuser=0", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "MALWARE_Win_StormKitty", "https://rexxfield.com/", "1.116.217.151 [Cobalt Strike]", "rp.dudaran2.com [routerlogin.net to safebae.org]", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "http://mobtrack.trkclk.net", "https://twitter.com/sheriffspurlock?lang=en", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "xred.mooo.com [pornhub trojan]", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "DNS Query for Anonfiles.com Domain", "EaZy Client.exe", "miles.ns.cloudflare.com", "https://thebrotherssabey.wordpress.com/", "142.250.180.4 (init.ess)", "dns.google (DNS client services - Doug Cole)", "https://poemhunter.com/tsara-brashears/", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "c.oooooooooo.ga (c.apple.com cdn)", "checkip.dyndns.org", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://urlscan.io/domain/maxwam.tk", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "acam-mdn.apple.com", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://hallrender.com/attorney/brian-sabey", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "apex.jquery.com (scammer | works for who?)", "apple-dns.net", "init.ess.apple.com [backdoor, malicious script, access via media]", "west-sca.duckdns.org", "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "qbittorrent.exe", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "fakecelebporno.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "checkip.dyndns.com", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "Traffic 13.107.4.52:80 (TCP)", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "blackhat.store", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "https://www.anyxxxtube.net/media/favicon/apple", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://search.app.goo.gl/?ofl", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://stackabuse.com/assets/images/apple", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "http://109.206.241.129/666bins/666.mpsl", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "https://tulach.cc/", "http://114.114.114.114/ipw.ps1", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "dvd-game-new-releases.info", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "www.akhaltsikhe.gov.ge [Germany?]", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "ns3.hallgrandsale.ru", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "nr-data.net [Apple Private Data Collection]", "194.245.148.189 [CnC]", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "http://tracks.theleders.family", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://watchhers.net/index.php [malware spreader]", "192.124.249.53:80", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "www.hallrender.com (malware hosting)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "apple-aqo.com (1 DNSPod.net)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "Witchetty APT Group" ], "malware_families": [ "Occamy", "Hacktool", "Backdoor:win32/wabot.a", "Defacement", "Recent emotet", "W32.eheur", "Silk", "Tofsee", "Witchetty", "Xpire.info", "Suppobox", "Uztuby", "Nymaim", "Tv rat", "Pykspa_v2_fake", "Zbot", "Installbrain", "Downloader.cerber/js!1.a59c (classic)", "Content reputation", "Pykspa", "Qbot", "Hallgrand", "Tulach", "Gen:variant.strictor", "Virtool:msil/cryptinject.cf!mtb", "Trojan.wisdomeyes.16070401.9500", "Cobalt strike", "Gamehack", "Alf:heraklezeval:trojanclicker:js/faceliker", "Blueshell", "Redline stealer", "Beach research", "Trojandownloader:win32/upatre.a", "China telecom", "Elocky", "Hsbc", "Mydoom", "Comspec", "Worm:win32/benjamin", "Trojanspy", "Installcore", "Dridex", "Tel:exploit:win32/sinkers", "Redline", "Ransom:win32/wannacrypt.a!rsm", "Emotet", "Lolkek", "Relic", "Worm:win32/pykspa", "Trojanspy:win32/bradesco", "Win32.pdf.alien", "Banjori", "Locky (decryptor)", "Generic", "Invoke-mimikatz", "Alf:heraklezeval:softwarebundler:win32/prepscram", "Skynet", "Win.malware.downloadguide-6803841-0", "Apnic", "Ransom:win32/g and crab!rfn", "Adware.browsefox", "Pony", "#lowfi:siga:trojanspy:msil/keylogger", "Sonbokli", "Dyre", "Kimsuky", "Worm:win32/fesber.a", "#lowfi:hstr:trojanspy:win32/xtrat", "Prynt", "Searchmeup", "Trojanclicker", "Babar", "Ubot", "Locky", "Ghost rat", "Njrat", "Freemake", "States", "Alfper:installcapital", "Trojan:win32/qbot.r!mtb", "Webtoolbar", "Vitzo", "Inmortal", "Virut", "Trojan.msil/stealer", "Agent tesla", "Nanocore rat", "Artro", "Trojan:win32/tiggre", "Et", "Zeus", "Win32:malware-gen", "Maltiverse", "Behav", "Win.packed.kkrunchy-7049457-1", "Cl0p", "Alf:trojan:win32/formbook", "Solar", "Trojan:win32/wacatac", "Quasar rat", "Mac.malware", "Wannacry kill switch", "Sibot - s0589", "Rms", "#lowfi:fop:virtool:win32/injector", "Ransomware", "Virus.virlock/nabucur", "Lokbit", "Msil_kryptik.p.gen", "Verified", "Sabey", "Mirai", "W32/expiro.fam", "Redirector", "Domains", "Hallrender", "Goldfinder", "Trojan.avsetecer", "Alf:heraklezeval:trojan:bat/musecador" ], "industries": [ "Technology", "Telecommunications", "Healthcare", "Health", "Insurance", "Government", "Finance" ], "unique_indicators": 201706 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudflaressl.com", "whois": "http://whois.domaintools.com/cloudflaressl.com", "domain": "cloudflaressl.com", "hostname": "ssl424011.cloudflaressl.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 39, "pulses": [ { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657fee4dec993692315eb9e9", "name": "NjRAT | Threat Network | https://www.poemhunter.com/tsara-brashears ", "description": "", "modified": "2024-09-05T07:13:57.083000", "created": "2023-12-18T07:01:33.682000", "tags": [ "ssl certificate", "whois record", "resolutions", "threat roundup", "referrer", "contacted", "april", "historical ssl", "threat network", "june", "august", "ransomware", "malware", "python", "probe", "formbook", "dropped", "njrat", "malware alibaba", "cloud computing", "service", "love", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "657fed19f6d24e751fa82de8", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 152, "FileHash-SHA256": 2775, "URL": 7125, "domain": 1726, "hostname": 2417 }, "indicator_count": 14348, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "674 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eb9b25110526c6b2a0ada5", "name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff", "description": "", "modified": "2024-03-08T23:11:33.426000", "created": "2024-03-08T23:11:33.426000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65a342310ab3d2c69778d608", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "772 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eb98d47b74b50cf8ce6797", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-03-08T23:01:40.129000", "created": "2024-03-08T23:01:40.129000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65acace20c18a7d6c5da2e27", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "772 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e576b3cbdf2f86a32acc", "name": "Skynet | prd.connectforhealthco.com | Identity theft |", "description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++", "modified": "2024-02-16T13:04:46.804000", "created": "2024-01-17T14:34:30.204000", "tags": [ "whois record", "historical ssl", "ssl certificate", "april", "referrer", "threat roundup", "communicating", "whois", "rwi dtools", "jekyll", "metro", "skynet", "identity theft", "parking crew", "whois whois", "resolutions", "october", "august", "march", "june", "attack", "goldfinder", "sibot", "hacktool", "remote attack", "social engineering", "read c", "get autoit", "search", "regsetvalueexa", "show", "entries", "regdword", "intel", "ms windows", "showing", "autoit", "write", "worm", "copy", "unknown", "win32", "persistence", "execution", "malware", "autorun", "redacted for", "for privacy", "name servers", "date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "encrypt", "next", "sabey", "no expiration", "filehashsha256", "filehashsha1", "filehashmd5", "iocs", "create new", "pulse use", "pdf report", "pcap", "malware beacon", "useragent", "http request", "hostile", "autoit windows", "automation tool", "forbidden", "algorithm", "full name", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "detections type", "name", "javascript", "pdf community", "office open", "xml spreadsheet", "text", "siblings", "process32nextw", "fjlsedauv", "writeconsolea", "medium", "discovery", "high", "module load", "t1129", "united", "as63949 linode", "mtb jan", "passive dns", "backdoor", "mtb dec", "open", "body", "artro", "creation date", "servers", "urls", "record value", "expiration date", "vt graph", "parent referrer", "apple private", "data collection", "hidden privacy", "malicious", "verified", "utc submissions", "submitters", "summary iocs", "graph community", "tucows", "amazonaes", "china telecom", "group", "cloudflarenet", "akamaias", "pty ltd", "argon data", "communication", "limited", "digitaloceanasn", "twitter", "dropbox", "domainsite", "alibaba cloud", "computing", "beijing", "service", "ip address", "latest", "virustotal", "unclejohn", "us autonomous", "system46606", "unified layer", "urls latest", "contacted", "historical", "subdomains", "gootloader", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "binary", "sameorigin", "scammer", "spammer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Sibot - S0589", "display_name": "Sibot - S0589", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "target": null }, { "id": "W32/Expiro.fam", "display_name": "W32/Expiro.fam", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" } ], "industries": [ "Healthcare", "Insurance", "Finance", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 515, "FileHash-SHA1": 504, "FileHash-SHA256": 3557, "URL": 5450, "domain": 1842, "hostname": 2221, "CVE": 2, "email": 6 }, "indicator_count": 14097, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afc9cf333bbda03a18e03c", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-23T14:14:39.725000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65acace20c18a7d6c5da2e27", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65acace20c18a7d6c5da2e27", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-21T05:34:26.800000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65a342310ab3d2c69778d608", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ssl424011.cloudflaressl.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ssl424011.cloudflaressl.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776681408.2376928 }