Home
Threat Intelligence Posts
Malware Intelligence

Criminals use CHOOPA VPS to deliver BlackNet RAT

Domains claiming to wipe out COVID-related malware delivers BlackNet RAT. Criminals rent out VPS services to host malicious campaigns.
Updated on
April 19, 2023
Published on
April 6, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

The Carrier

  • 2 domains: corona-antivirus.com and 45.32.78.111/Corn/Calin/Corona.exe, which claim to wipe out COVID related malware, found to deliver BlackNet RAT.

The Malware

  • The file is Windows Executable which is coded in MS Visual C++.
  • The language detected is German.

The Risk

  • The same hash has been used multiple times with revised file names. So, it is highly likely that it may appear in the future with different file names.
  • It is evident that the criminals are renting out VPS services to host malicious campaigns. And some of these services are not DMCA compliant.

File details

corona-antivirus.com
IP : 95.179.252.195 Location: Hesse, Frankfurt, Germany Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
45.32.78.111/Corn/Calin/Corona.exe
IP: 45.32.78.111 Location: Los Angeles, CA, US Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)

Indicators of Compromise

  • MD5: 3176d858ea6c4307555a13d0e5257e0d
  • SHA1: 1ef3293933681c3db98859210b3777102185789
  • SHA256: fd8c00e758edcccf92d7fd762a646e9be248d0a7c20701904dacd736163ccb20
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more