- 2 domains: corona-antivirus.com and 188.8.131.52/Corn/Calin/Corona.exe, which claim to wipe out COVID related malware, found to deliver BlackNet RAT.
- The file is Windows Executable which is coded in MS Visual C++.
- The language detected is German.
- The same hash has been used multiple times with revised file names. So, it is highly likely that it may appear in the future with different file names.
- It is evident that the criminals are renting out VPS services to host malicious campaigns. And some of these services are not DMCA compliant.
corona-antivirus.comIP : 184.108.40.206 Location: Hesse, Frankfurt, Germany Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
220.127.116.11/Corn/Calin/Corona.exeIP: 18.104.22.168 Location: Los Angeles, CA, US Hosting Provider: Vultr Holdings (Global cloud hosting provider) ISP: Choopa (Choopa is the Virtual Service Provider division from Vultr)
Indicators of Compromise