- 2 domains: corona-antivirus.com and 22.214.171.124/Corn/Calin/Corona.exe, which claim to wipe out COVID related malware, found to deliver BlackNet RAT.
- The file is Windows Executable which is coded in MS Visual C++.
- The language detected is German.
- The same hash has been used multiple times with revised file names. So, it is highly likely that it may appear in the future with different file names.
- It is evident that the criminals are renting out VPS services to host malicious campaigns. And some of these services are not DMCA compliant.
corona-antivirus.comIP : 126.96.36.199 Location: Hesse, Frankfurt, Germany Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
188.8.131.52/Corn/Calin/Corona.exeIP: 184.108.40.206 Location: Los Angeles, CA, US Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
Indicators of Compromise