Criminals use CHOOPA VPS to deliver BlackNet RAT
April 6, 2020
•
4
min read
The Carrier
- 2 domains: corona-antivirus.com and 45.32.78.111/Corn/Calin/Corona.exe, which claim to wipe out COVID related malware, found to deliver BlackNet RAT.
The Malware
- The file is Windows Executable which is coded in MS Visual C++.
- The language detected is German.
The Risk
- The same hash has been used multiple times with revised file names. So, it is highly likely that it may appear in the future with different file names.
- It is evident that the criminals are renting out VPS services to host malicious campaigns. And some of these services are not DMCA compliant.
File details
corona-antivirus.com
IP : 95.179.252.195
Location: Hesse, Frankfurt, Germany
Hosting Provider: Vultr Holdings (Global cloud hosting provider)
ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
45.32.78.111/Corn/Calin/Corona.exe
IP: 45.32.78.111
Location: Los Angeles, CA, US
Hosting Provider: Vultr Holdings (Global cloud hosting provider)
ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
Indicators of Compromise
MD5: 3176d858ea6c4307555a13d0e5257e0dSHA1: 1ef3293933681c3db98859210b3777102185789SHA256:
fd8c00e758edcccf92d7fd762a646e9be248d0a7c20701904dacd736163ccb20
Tags:
No items found.