Home
Threat Intelligence Posts

Criminals use CHOOPA VPS to deliver BlackNet RAT

Domains claiming to wipe out COVID-related malware delivers BlackNet RAT. Criminals rent out VPS services to host malicious campaigns.
Updated on
February 27, 2023
Published on
April 6, 2020
Read time
5
Subscribe to the latest industry news, technologies and resources.

The Carrier

  • 2 domains: corona-antivirus.com and 45.32.78.111/Corn/Calin/Corona.exe, which claim to wipe out COVID related malware, found to deliver BlackNet RAT.

The Malware

  • The file is Windows Executable which is coded in MS Visual C++.
  • The language detected is German.

The Risk

  • The same hash has been used multiple times with revised file names. So, it is highly likely that it may appear in the future with different file names.
  • It is evident that the criminals are renting out VPS services to host malicious campaigns. And some of these services are not DMCA compliant.

File details

corona-antivirus.com
IP : 95.179.252.195 Location: Hesse, Frankfurt, Germany Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
45.32.78.111/Corn/Calin/Corona.exe
IP: 45.32.78.111 Location: Los Angeles, CA, US Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)

Indicators of Compromise

  • MD5: 3176d858ea6c4307555a13d0e5257e0d
  • SHA1: 1ef3293933681c3db98859210b3777102185789
  • SHA256: fd8c00e758edcccf92d7fd762a646e9be248d0a7c20701904dacd736163ccb20

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.