Request a Demo
Rewterz
Rewterz Threat Alert – Emotet Malware Using Greta Thunberg Demonstration as an Invite
December 20, 2019
Rewterz
Rewterz Threat Alert – PayPal Phishing Attacks
December 23, 2019

Rewterz Threat Alert – NTCrypt – A Malicious Packer

Severity

Medium

Analysis Summary

Packers are often used to hide the functionality of executable files from unwanted observers. This can be done for legitimate purposes, such as protecting your intellectual property, but also for malicious purposes; for example, hiding malicious content from security products. Hiding malicious contents in packers are usually not available on company’s website but on hacking forums and not so open for the public.

Figure-1-Crypter-advertised-as-available-on-a-purchasing-website.jpg

NTCrypt, sold on hacking forums and web sites are generally created for malicious purposes.  ReversingLabs used their own product to try to search for it on the Internet. One sample they found had “Only for malicious use!” within the version info of the binary. Most of the samples the tool discovered were PE types (compiled executables). They did come across one that was a PE/.NET type. Tracking it, they encountered videos taken of the packer in use. While the PE versions appeared to execute without any visible outcome, the PE/.NET version actually presented a user interface. This allowed them to experiment with the interface and see how NTCrypt functions.

Impact

Hiding malicious content

Indicators of Compromise

SHA-256

  • 8de7b513d770188e3c99828605d04cfd1e232d40151089c300c407986d098706
  • 5ea79e0706c036fb75734ef80825af4c8105214ffe3bcabe12dce1528c56201d
  • 6bbf873b3a409304993867b86c542cdc6c934dea7a70eca540e9c6521b8f83a7
  • 200c14ac227451eb8c74a208d4f61650467a664d228f0e978a10ee4b53d742b9
  • 0bc4545faff1c9379f727f5bef8eea7d7009d5e80f0d6dc99112abe796fc2327
  • 96839a8229d09359724f9c361a1ef9f6ba8cf4af298062369aa0a0d4e1069715
  • 2013f629eb39c967d3b7cf35f4f90c5704205faa96a1df8520c334fe44c625aa
  • 7773d517b5f3dda8db812f16f6b9a916e1a6aadb5b4a99ec98f9492547e72945
  • 23232211bb692367b59c2057cd931198821565dee963398d5fa2f0da92f4de21
  • 959269be199a17991ccf25d03f31a81bc5772673d7b8b6b680e102242dae0b35
  • 44d84faec91b8939d3998f33e3602fa0e0ad5247975bcbc42c2016bb9ebd5fc2
  • B2b16b16b63ab5f91e84e4bd84617cdd4c2657bb6cf2765c302db508805f46db
  • 08edf586451da1d374517d4c13489d40c675926a4026ba99204b9f2323ea6a69

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.