Sumeru

Stats about Corona-related infections, deaths, transmissions are in high demand and everyone is searching for them. Malicious actors take advantage of this situation and by spreading malware as “Coronavirus map”.

General Info:-

We are using Remnux Linux and windows 10 machine for the analysis, so our first step is to find out which type of malware it is using Peframe tool

And then find entropy value and Characteristics using Peframe.exe in windows Analysis (entropy value 7=>8 ) some data or process are inside the malware

Trigger the Corona-virus-Map.com.exe in a sandbox windows machine and keep the Wireshark and Procmon ready to analyze it in the background. Analyze the processor id, tree structure, modified file path, files dropped.

here you can see some suspicious executions, also you can find some of the dropped files like windows.Globalization.Fontgroup.exe

Also, we can see a compressed file and once you extract it, we can see the following information

YARA rules are used to look for that code along with some of the malware’s functions and features.

in the Peframe tool, we are able to get what is present in the DLL file

using the TRID tool we can find collected data Info

And We are using regshot to find out which files are affected, added, modified, registry modified information can be obtained.

And finally, this data is through the breakpoints DNS

gisanddata.maps.arcgis.com
coronavirusstatus.space
api.telegram.org
ipapi.co
js.arcgis.com

Note:- This lab setup in host-only adapter internally reaching with two os flavors (LINUX, WINDOWS)

Just checking for coronavirusstatus.space in virustotal is the most vulnerable website.

How attackers are spreading“Coronavirus map” malware map?

General Info:-