Rewterz Threat Alert – Emotet Malware Using Greta Thunberg Demonstration as an Invite

December 20, 2019

Rewterz Threat Alert – PayPal Phishing Attacks

December 23, 2019

Rewterz Threat Alert – NTCrypt – A Malicious Packer

December 23, 2019

Severity

Medium

Analysis Summary

Packers are often used to hide the functionality of executable files from unwanted observers. This can be done for legitimate purposes, such as protecting your intellectual property, but also for malicious purposes; for example, hiding malicious content from security products. Hiding malicious contents in packers are usually not available on company’s website but on hacking forums and not so open for the public.

Figure-1-Crypter-advertised-as-available-on-a-purchasing-website.jpg

NTCrypt, sold on hacking forums and web sites are generally created for malicious purposes. ReversingLabs used their own product to try to search for it on the Internet. One sample they found had “Only for malicious use!” within the version info of the binary. Most of the samples the tool discovered were PE types (compiled executables). They did come across one that was a PE/.NET type. Tracking it, they encountered videos taken of the packer in use. While the PE versions appeared to execute without any visible outcome, the PE/.NET version actually presented a user interface. This allowed them to experiment with the interface and see how NTCrypt functions.

Impact

Hiding malicious content

Indicators of Compromise

SHA-256

8de7b513d770188e3c99828605d04cfd1e232d40151089c300c407986d098706
5ea79e0706c036fb75734ef80825af4c8105214ffe3bcabe12dce1528c56201d
6bbf873b3a409304993867b86c542cdc6c934dea7a70eca540e9c6521b8f83a7
200c14ac227451eb8c74a208d4f61650467a664d228f0e978a10ee4b53d742b9
0bc4545faff1c9379f727f5bef8eea7d7009d5e80f0d6dc99112abe796fc2327
96839a8229d09359724f9c361a1ef9f6ba8cf4af298062369aa0a0d4e1069715
2013f629eb39c967d3b7cf35f4f90c5704205faa96a1df8520c334fe44c625aa
7773d517b5f3dda8db812f16f6b9a916e1a6aadb5b4a99ec98f9492547e72945
23232211bb692367b59c2057cd931198821565dee963398d5fa2f0da92f4de21
959269be199a17991ccf25d03f31a81bc5772673d7b8b6b680e102242dae0b35
44d84faec91b8939d3998f33e3602fa0e0ad5247975bcbc42c2016bb9ebd5fc2
B2b16b16b63ab5f91e84e4bd84617cdd4c2657bb6cf2765c302db508805f46db
08edf586451da1d374517d4c13489d40c675926a4026ba99204b9f2323ea6a69

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Critical PHP RCE Vulnerability Under Mass Exploitation in New Attacks

Multiple Adobe Products Vulnerabilities

Apple WebKit Zero-Day Actively Exploited in High-Profile Cyber Attacks

Threat Insights

About Us

Our Leadership

CSR

Connect with Us