{ "type": "URL", "indicator": "https://staging.100df.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://staging.100df.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3822755441, "indicator": "https://staging.100df.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "video-lal.com/videos/sandra-richter-video.html", "brain-portal.net", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Crazy: video-lal.com/videos/michael-roberts.html", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "https://crt.sh/?graph=410492573&opt=nometadata", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "Refuses to remove target from adult content \"tagging\"", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "https://crt.sh/?q=videolal.com", "https://www.hallrender.com/attorney/brian-sabey", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "https://opensource.apple.com/source/security_certificates/", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "http://www.hallrender.com/attorney/brian-sabey |", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Win32:trojanx-gen[trj]", "Artro", "Win.malware.farfli-6824119-0", "Generic" ], "industries": [], "unique_indicators": 34704 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/100df.com", "whois": "http://whois.domaintools.com/100df.com", "domain": "100df.com", "hostname": "staging.100df.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://staging.100df.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://staging.100df.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776645546.728715 }