Malware Analysis Report

2025-01-22 13:28

Sample ID 241125-w3q96awqcl
Target a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
SHA256 a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
Tags
mrblack antivm botnet defense_evasion discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60

Threat Level: Known bad

The file a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 was found to be: Known bad.

Malicious Activity Summary

mrblack antivm botnet defense_evasion discovery persistence trojan

MrBlack Trojan

Mrblack family

MrBlack trojan

Executes dropped EXE

File and Directory Permissions Modification

Reads system routing table

Write file to user bin folder

Modifies init.d

Writes file to system bin folder

Reads system network configuration

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 18:27

Signatures

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Mrblack family

mrblack

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 18:27

Reported

2024-11-25 18:29

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

149s

Command Line

[/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60]

Signatures

MrBlack Trojan

trojan botnet mrblack

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Mrblack family

mrblack

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/recei /usr/bin/bsd-port/recei N/A
N/A /usr/bin/oracle /usr/bin/oracle N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/VsystemsshMmt /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /etc/init.d/selinux /usr/bin/bsd-port/recei N/A

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/recei.conf /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /usr/bin/bsd-port/udevd.conf /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /usr/bin/bsd-port/recei /usr/bin/cp N/A
File opened for modification /usr/bin/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/ps /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/recei.conf /usr/bin/bsd-port/recei N/A
File opened for modification /usr/bin/oracle /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /usr/bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/lsof /usr/bin/cp N/A
File opened for modification /bin/ps /usr/bin/cp N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for reading /proc/cpuinfo /usr/bin/bsd-port/recei N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for reading /proc/net/dev /usr/bin/bsd-port/recei N/A
File opened for reading /proc/net/route /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for reading /proc/net/arp /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/stat /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/meminfo /usr/bin/bsd-port/recei N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/sys/kernel/version /usr/bin/bsd-port/recei N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /usr/bin/oracle N/A
File opened for reading /proc/meminfo /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/sys/kernel/version /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/stat /usr/bin/bsd-port/recei N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/conf.n /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /tmp/Dest.cfg /usr/bin/oracle N/A
File opened for modification /tmp/appd.log /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /tmp/appd.conf /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /tmp/Dest.cfg /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /tmp/notify.file /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 N/A
File opened for modification /tmp/appd.log /usr/bin/oracle N/A
File opened for modification /tmp/notify.file /usr/bin/oracle N/A

Processes

/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60

[/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/usr/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/bsd-port/recei]

/usr/bin/cp

[cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/bsd-port/recei]

/bin/sh

[sh -c /usr/bin/bsd-port/recei]

/usr/bin/bsd-port/recei

[/usr/bin/bsd-port/recei]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/oracle]

/usr/bin/cp

[cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60 /usr/bin/oracle]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/usr/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c /usr/bin/oracle]

/usr/bin/oracle

[/usr/bin/oracle]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/usr/bin/cp

[cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/recei /bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/recei /bin/lsof]

/bin/sh

[sh -c chmod 0755 /bin/lsof]

/usr/bin/chmod

[chmod 0755 /bin/lsof]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/usr/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/recei /bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/recei /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/usr/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/recei /usr/bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/recei /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/usr/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/recei /usr/bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/recei /usr/bin/ps]

/bin/sh

[sh -c chmod 0755 /usr/bin/ps]

/usr/bin/chmod

[chmod 0755 /usr/bin/ps]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 192.207.62.45:1688 tcp
US 192.207.62.45:1688 tcp

Files

/tmp/Dest.cfg

MD5 7949e456002b28988d38185bd30e77fd
SHA1 8eac9d03673ad3fa86c1c815275470ec81580e0a
SHA256 3a481e728390d89c6843c180dc18ca8d693de5f5421e6240711c5dad483c72b3
SHA512 86ffa374c2572cf61c670ec5469b80a9f71db097a87e45393aac98ac96a1c019325f360ccbaa6509acd366045c871b0e2ce76503942603228cf87b5c18105586

/etc/init.d/VsystemsshMmt

MD5 f90e9abecef631a29abd65e381fafdab
SHA1 5859bb1f2e934ff5d34ce43f2b88e61e7c860445
SHA256 37fbeb68c2552a6439295d755f77145e7f3a0072d9a56a9202ad5eb5d2cd4d14
SHA512 5e8f1f072d471437f16f1a10dad33668a11726272b53105f4cdf13ed0ed18d5e32f9cdeb337adc71b32eac5442ac81bbab9e5f08ba92f534190594cbd5173d7e

/usr/bin/bsd-port/recei

MD5 f57f99f56834d73211bac97f4ec2dc5c
SHA1 314fff2c301fb120ce100e812e3ef4b31580551d
SHA256 a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
SHA512 c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8

/tmp/notify.file

MD5 830fecbd08ef05059315cbcad7735639
SHA1 a178557cb7efc7e62a28071fdb464e982a8c254b
SHA256 83a6029fd731a7c3581fdc37d650d679f934c9944decfffcd786f8cf7e02dfae
SHA512 39cd0d035a01c32e9debf33771f56d9afa442f5d5d5365f3b93b84ec11e348321aa4c08a40109cfc520a9c9e8e8d58df64dd233852323eea7ac2a26fe78c8019

/etc/init.d/selinux

MD5 57cde9c165195cfb90c212057795ed49
SHA1 d77d9895306eb09ad9b54588fb7998c79c671563
SHA256 3e3488e9c63dfadffd594301e2192418b158238bfb8f83d6702123d72892cf36
SHA512 de9af53a508167cbbb820a99c2742918ec5b8c83877b77e43e4b441019311685647f47fb4666ba53ecef4e6a2d5514eb67981d471ddf173b04848609b3c0c00d

/usr/bin/dpkgd/lsof

MD5 ab57b66cc531ae0f996963223e632b60
SHA1 bf7e5becd33f21c2539f5a75ffa0ab61c49c8795
SHA256 2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df
SHA512 908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

/usr/bin/dpkgd/ps

MD5 8146139c2ad7e550b1d1f49480997446
SHA1 074db8890c3227bd8a588417f5b9bde637bcf3af
SHA256 207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f
SHA512 b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

/tmp/conf.n

MD5 0d4750fec88f900553a9e4c96401dc0d
SHA1 e10dde0a5028e3fd300fb85b50ff4e0e228eae4a
SHA256 4cfb90ff9316f4c96aca3e9bf13ff354de99c6b31bc3451a810a0fffebcfb176
SHA512 63ef47b7279afe6bd17028e03f5c124de78dc817fdd4607ffb0a51be0c8c95a76318435b5f0b883d4d20ff54d7f52fbd1877f2952bbfaaeddcc7417f842f840c