{ "type": "Domain", "indicator": "zsrest.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zsrest.com", "alexa": "http://www.alexa.com/siteinfo/zsrest.com", "indicator": "zsrest.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3639225851, "indicator": "zsrest.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6696c991debb12023a1357e3", "name": "DroidJack RAT IOCs - SEC-1275-1", "description": "", "modified": "2024-08-15T19:03:41.303000", "created": "2024-07-16T19:27:13.260000", "tags": [ "droidjack", "android", "toggle", "sqlite", "sandrorat", "compromise ipv4", "urls http", "sha1", "sha256", "gigabud rat" ], "references": [ "https://1275.ru/ioc/1635/droidjack-rat-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "chiendn2k1@", "id": "286155", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 692, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 150, "hostname": 70 }, "indicator_count": 918, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64110da83117ae635ee07446", "name": "URLHaus data - 14-03-2023", "description": "", "modified": "2023-04-14T00:04:36.827000", "created": "2023-03-15T00:13:28.296000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "hajime", "dropped-by-PrivateLoader", "RedLine", "smokeloader", "BB19", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA", "vjw0rm", "exe", "opendir", "SnakeKeylogger", "bitrat", "rat", "AgentTesla", "Loki", "doc", "ascii", "bat", "encrypted", "250255", "7710", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 240, "hostname": 132 }, "indicator_count": 1371, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "https://1275.ru/ioc/1635/droidjack-rat-iocs/", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "brain-portal.net", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "Found in: https://Side3.com/", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "https://opensource.apple.com/source/security_certificates/", "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "pornhub.org", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://www.hallrender.com/attorney/brian-sabey |", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://crt.sh/?q=videolal.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://mobilesmafia.com/applications/botnet.ex", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "https://crt.sh/?graph=410492573&opt=nometadata", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "https://www.hallrender.com/attorney/brian-sabey", "Refuses to remove target from adult content \"tagging\"", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "video-lal.com/videos/sandra-richter-video.html", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "Crazy: video-lal.com/videos/michael-roberts.html", "nr-data.net [Apple Private Data Collection]", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "https://urlhaus.abuse.ch/browse/", "ww12.indianpornxxxtube.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Sheur4.ceoo", "#lowfi:suspicioussectionname", "Win32:evo-gen\\ [trj]", "Artro", "Trojan:win32/remcosrat", "Win.trojan.mbrlock-9779766-0", "Generic_r.byw", "Hacktool", "Win.malware.farfli-6824119-0", "Win32/tanatos.a", "Quasar rat", "Ransomexx", "W32.sality-73", "Win32:inject-bcl\\ [trj]", "Generic", "Win32:trojanx-gen[trj]", "Win32/cryptor", "Win.trojan.agent-828507" ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6696c991debb12023a1357e3", "name": "DroidJack RAT IOCs - SEC-1275-1", "description": "", "modified": "2024-08-15T19:03:41.303000", "created": "2024-07-16T19:27:13.260000", "tags": [ "droidjack", "android", "toggle", "sqlite", "sandrorat", "compromise ipv4", "urls http", "sha1", "sha256", "gigabud rat" ], "references": [ "https://1275.ru/ioc/1635/droidjack-rat-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "chiendn2k1@", "id": "286155", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 692, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 150, "hostname": 70 }, "indicator_count": 918, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64110da83117ae635ee07446", "name": "URLHaus data - 14-03-2023", "description": "", "modified": "2023-04-14T00:04:36.827000", "created": "2023-03-15T00:13:28.296000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "hajime", "dropped-by-PrivateLoader", "RedLine", "smokeloader", "BB19", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA", "vjw0rm", "exe", "opendir", "SnakeKeylogger", "bitrat", "rat", "AgentTesla", "Loki", "doc", "ascii", "bat", "encrypted", "250255", "7710", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 240, "hostname": 132 }, "indicator_count": 1371, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zsrest.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zsrest.com", "found": true, "verdict": "malicious", "url_count": 4, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://zsrest.com/scarica/", "status": "offline", "threat": "malware_download", "date_added": "2023-03-14", "tags": [ "250255", "7710", "geofenced", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ] }, { "url": "https://zsrest.com/connect/", "status": "offline", "threat": "malware_download", "date_added": "2023-03-14", "tags": [ "250255", "7710", "geofenced", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ] }, { "url": "https://zsrest.com/agenzia/", "status": "offline", "threat": "malware_download", "date_added": "2023-03-14", "tags": [ "250255", "7710", "geofenced", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ] }, { "url": "https://zsrest.com/impresa/Agenzia_Entrate.zip", "status": "offline", "threat": "malware_download", "date_added": "2023-03-02", "tags": [ "agenziaentrate", "BIG", "Gozi", "ITA", "malware", "stealer" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780302178.129557 }