{ "type": "URL", "indicator": "https://webdisk.notyetbreakeven.group", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://webdisk.notyetbreakeven.group", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3741617888, "indicator": "https://webdisk.notyetbreakeven.group", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6b7ff4216fe9cd82625", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:52:05.939000", "created": "2023-12-06T16:52:05.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a029f7654ae30157d89f", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:07.472000", "created": "2023-12-06T16:24:07.472000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544cbbca7610e92e4262c47", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-11-03T10:30:20.965000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "654140bae73f795aa914e8de", "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654140bae73f795aa914e8de", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-31T18:00:26.439000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "65401d73e96dd70037ed22a7", "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d8480e4a9ed725f6458", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:56.820000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d76b057b79aaf7ba4a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:40.239000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d73e96dd70037ed22a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:39.802000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d5ee5a7359a5e815a6a", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:18.712000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f123278ba7a9e62fdc4cb", "name": "DGA Domain", "description": "", "modified": "2023-10-30T02:17:22.194000", "created": "2023-10-30T02:17:22.194000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65134ae8fc70cf6ef83d7d74", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65134ae8fc70cf6ef83d7d74", "name": "DGA Domain", "description": "", "modified": "2023-09-26T21:19:36.331000", "created": "2023-09-26T21:19:36.331000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7031dfbe14bb4c3d7de0", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "937 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df7031dfbe14bb4c3d7de0", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T18:04:52.183000", "created": "2023-08-18T13:20:49.696000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "www.hallrender.com (malware hosting)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "west-sca.duckdns.org", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "batchpublicrecords.westlaw.com", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "us-west-2.es.amazonaws.com (pslicorp)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "https://poemhunter.com/tsara-brashears/", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "fakecelebporno.com", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "batchcourtexpressservicesqa.westlaw.com", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "government.westlaw.com", "www.dead-speak.com", "rp.dudaran2.com [routerlogin.net to safebae.org]", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "192.124.249.53:80", "www42.jhonisdead.com", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "apple-aqo.com (1 DNSPod.net)", "https://hallrender.com/attorney/brian-sabey", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "https://www.hallrender.com/attorney/brian-sabey", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor" ], "malware_families": [ "Kryptik", "Vitzo", "China telecom", "Beach research", "Behav", "Qbot", "Webtoolbar", "Trojanspy", "Babar", "Wannacry kill switch", "Ubot", "Apnic", "Trojan:win32/wacatac", "Cl0p", "Tulach", "Njrat", "Zbot", "Freemake", "Alf:trojan:win32/formbook", "Redline", "Sonbokli", "Mirai", "Rms", "Redirector", "Invoke-mimikatz", "Uztuby", "Trojan:win32/tiggre", "Hsbc", "Inmortal", "Maltiverse", "Suppobox", "Domains", "Zeus", "Win32.pdf.alien", "Emotet" ], "industries": [ "Health" ], "unique_indicators": 73514 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/notyetbreakeven.group", "whois": "http://whois.domaintools.com/notyetbreakeven.group", "domain": "notyetbreakeven.group", "hostname": "webdisk.notyetbreakeven.group" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6b7ff4216fe9cd82625", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:52:05.939000", "created": "2023-12-06T16:52:05.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a029f7654ae30157d89f", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:07.472000", "created": "2023-12-06T16:24:07.472000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544cbbca7610e92e4262c47", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-11-03T10:30:20.965000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "654140bae73f795aa914e8de", "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654140bae73f795aa914e8de", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-31T18:00:26.439000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "65401d73e96dd70037ed22a7", "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://webdisk.notyetbreakeven.group", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://webdisk.notyetbreakeven.group", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776732656.4855099 }