The Carrier
- 2 domains: corona-antivirus.com and 45.32.78.111/Corn/Calin/Corona.exe, which claim to wipe out COVID related malware, found to deliver BlackNet RAT.
The Malware
- The file is Windows Executable which is coded in MS Visual C++.
- The language detected is German.
The Risk
- The same hash has been used multiple times with revised file names. So, it is highly likely that it may appear in the future with different file names.
- It is evident that the criminals are renting out VPS services to host malicious campaigns. And some of these services are not DMCA compliant.
File details
corona-antivirus.com
IP : 95.179.252.195 Location: Hesse, Frankfurt, Germany Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)45.32.78.111/Corn/Calin/Corona.exe
IP: 45.32.78.111 Location: Los Angeles, CA, US Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)Indicators of Compromise
MD5: 3176d858ea6c4307555a13d0e5257e0d
SHA1: 1ef3293933681c3db98859210b3777102185789
SHA256: fd8c00e758edcccf92d7fd762a646e9be248d0a7c20701904dacd736163ccb20