{ "type": "URL", "indicator": "https://webdisk.t4tonly.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://webdisk.t4tonly.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3806088690, "indicator": "https://webdisk.t4tonly.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69b2730aa46a25d7949daa8d", "name": "apple retail dnspionage clone octoseek", "description": "", "modified": "2026-04-11T00:03:57.096000", "created": "2026-03-12T08:02:18.609000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658a2b6cfdcfeec5db5f31a1", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:00.119000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658a2b70d4e5f1b1267a5a45", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:04.914000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca31a0720e83e8630677d", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process [OctoSeek]", "description": "", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-27T22:20:10.878000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "817 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "827 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "west-sca.duckdns.org", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "apple-aqo.com (1 DNSPod.net)", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "www.dead-speak.com", "qbot.zip", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "192.185.223.216 | 192.168.56.1 [malware]", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "192.124.249.53:80", "init.ess.apple.com ( Code Script \u2022 MortalK)", "https://hallrender.com/attorney/brian-sabey", "838114.parkingcrew.net", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "Self whitelisting tool, domains moved within nginx.", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "www.redtube.comyouporn.com", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "www.hallrender.com (malware hosting)", "https://totallyspies.1000hentai.com/tag/clover-porn/", "https://www.hallrender.com/attorney/brian-sabey", "https://severeporn-com.pornproxy.page/", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "campaign-manager.sharecare.com", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "c.oooooooooo.ga (c.apple.com cdn)", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "https://poemhunter.com/tsara-brashears/", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "us-west-2.es.amazonaws.com (pslicorp)", "dropboxpayments.com", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "cams4all.com", "https://twitter.com/PORNO_SEXYBABES", "24-70mm.camera", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "http://alive.overit.com/~schoolbu/badmood3.exe", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "www.anyxxxtube.net", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "mwilliams.dev@gmail.com | piratepages.com", "https://mylegalbid.com/malwarebytes", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "http://secure.indianpornpass.com/track/hotpornstuff", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "youramateuporn.com", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://www.songculture.com/tsara-lynn-brashears-music", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "pirateproxy.cc", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "fakecelebporno.com", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "imp.fusioninstall.com", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "http://45.159.189.105/bot/regex", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "http://xred.mooo.com", "ns2.abovedomains.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "yoursexy.porn | indianyouporn.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "watchhers.net", "xhamster.comyouporn.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "0-w5-cms.ultimate-guitar.com", "static-push-preprod.porndig.com", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "https://www.anyxxxtube.net/media/favicon/apple", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "batchpublicrecords.westlaw.com", "https://sexgalaxy.net/tag/rodneymoore/", "www42.jhonisdead.com", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "batchcourtexpressservicesqa.westlaw.com", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "cdn.pornsocket.com", "ww16.porn-community.porn25.com", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "jimgaffigan.com", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "Out For Blood" ], "malware_families": [ "Trojan:win32/tiggre", "Sonbokli", "Quasar", "Trojan:win32/wacatac", "Qbot", "China telecom", "Behav", "Redline", "Freemake", "Hsbc", "Blacknet", "Cl0p", "Zbot", "Fragtor", "Alf:trojan:win32/formbook", "Mirai", "Rms", "Babar", "Invoke-mimikatz", "Emotet", "Tulach", "Possible", "Ubot", "Bulz", "Uztuby", "Azorult cnc", "Suppobox", "Inmortal", "Zeus", "Maltiverse", "Redirector", "Beach research", "Domains", "Wannacry kill switch", "Njrat", "Vitzo", "Apnic", "Adware affiliate", "Webtoolbar", "Virtool", "Win32.pdf.alien", "Trojanspy" ], "industries": [ "Civil society", "Healthcare", "Private sector", "Health" ], "unique_indicators": 112037 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/t4tonly.com", "whois": "http://whois.domaintools.com/t4tonly.com", "domain": "t4tonly.com", "hostname": "webdisk.t4tonly.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69b2730aa46a25d7949daa8d", "name": "apple retail dnspionage clone octoseek", "description": "", "modified": "2026-04-11T00:03:57.096000", "created": "2026-03-12T08:02:18.609000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658a2b6cfdcfeec5db5f31a1", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:00.119000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658a2b70d4e5f1b1267a5a45", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:04.914000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca31a0720e83e8630677d", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process [OctoSeek]", "description": "", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-27T22:20:10.878000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "817 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://webdisk.t4tonly.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://webdisk.t4tonly.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776631907.3319373 }