April 25, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Emotet Malware Using Greta Thunberg Demonstration as an Invite
December 20, 2019Rewterz Threat Alert – PayPal Phishing Attacks
December 23, 2019Rewterz Threat Alert – Emotet Malware Using Greta Thunberg Demonstration as an Invite
December 20, 2019Rewterz Threat Alert – PayPal Phishing Attacks
December 23, 2019
Severity
Medium
Analysis Summary
Packers are often used to hide the functionality of executable files from unwanted observers. This can be done for legitimate purposes, such as protecting your intellectual property, but also for malicious purposes; for example, hiding malicious content from security products. Hiding malicious contents in packers are usually not available on company’s website but on hacking forums and not so open for the public.
NTCrypt, sold on hacking forums and web sites are generally created for malicious purposes. ReversingLabs used their own product to try to search for it on the Internet. One sample they found had “Only for malicious use!” within the version info of the binary. Most of the samples the tool discovered were PE types (compiled executables). They did come across one that was a PE/.NET type. Tracking it, they encountered videos taken of the packer in use. While the PE versions appeared to execute without any visible outcome, the PE/.NET version actually presented a user interface. This allowed them to experiment with the interface and see how NTCrypt functions.
Impact
Hiding malicious content
Indicators of Compromise
SHA-256
- 8de7b513d770188e3c99828605d04cfd1e232d40151089c300c407986d098706
- 5ea79e0706c036fb75734ef80825af4c8105214ffe3bcabe12dce1528c56201d
- 6bbf873b3a409304993867b86c542cdc6c934dea7a70eca540e9c6521b8f83a7
- 200c14ac227451eb8c74a208d4f61650467a664d228f0e978a10ee4b53d742b9
- 0bc4545faff1c9379f727f5bef8eea7d7009d5e80f0d6dc99112abe796fc2327
- 96839a8229d09359724f9c361a1ef9f6ba8cf4af298062369aa0a0d4e1069715
- 2013f629eb39c967d3b7cf35f4f90c5704205faa96a1df8520c334fe44c625aa
- 7773d517b5f3dda8db812f16f6b9a916e1a6aadb5b4a99ec98f9492547e72945
- 23232211bb692367b59c2057cd931198821565dee963398d5fa2f0da92f4de21
- 959269be199a17991ccf25d03f31a81bc5772673d7b8b6b680e102242dae0b35
- 44d84faec91b8939d3998f33e3602fa0e0ad5247975bcbc42c2016bb9ebd5fc2
- B2b16b16b63ab5f91e84e4bd84617cdd4c2657bb6cf2765c302db508805f46db
- 08edf586451da1d374517d4c13489d40c675926a4026ba99204b9f2323ea6a69
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.