• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Emotet Malware Using Greta Thunberg Demonstration as an Invite
December 20, 2019
Rewterz Threat Alert – PayPal Phishing Attacks
December 23, 2019

Rewterz Threat Alert – NTCrypt – A Malicious Packer

December 23, 2019

Severity

Medium

Analysis Summary

Packers are often used to hide the functionality of executable files from unwanted observers. This can be done for legitimate purposes, such as protecting your intellectual property, but also for malicious purposes; for example, hiding malicious content from security products. Hiding malicious contents in packers are usually not available on company’s website but on hacking forums and not so open for the public.

Figure-1-Crypter-advertised-as-available-on-a-purchasing-website.jpg

NTCrypt, sold on hacking forums and web sites are generally created for malicious purposes.  ReversingLabs used their own product to try to search for it on the Internet. One sample they found had “Only for malicious use!” within the version info of the binary. Most of the samples the tool discovered were PE types (compiled executables). They did come across one that was a PE/.NET type. Tracking it, they encountered videos taken of the packer in use. While the PE versions appeared to execute without any visible outcome, the PE/.NET version actually presented a user interface. This allowed them to experiment with the interface and see how NTCrypt functions. 

Impact

Hiding malicious content

Indicators of Compromise

SHA-256

  • 8de7b513d770188e3c99828605d04cfd1e232d40151089c300c407986d098706
  • 5ea79e0706c036fb75734ef80825af4c8105214ffe3bcabe12dce1528c56201d
  • 6bbf873b3a409304993867b86c542cdc6c934dea7a70eca540e9c6521b8f83a7
  • 200c14ac227451eb8c74a208d4f61650467a664d228f0e978a10ee4b53d742b9
  • 0bc4545faff1c9379f727f5bef8eea7d7009d5e80f0d6dc99112abe796fc2327
  • 96839a8229d09359724f9c361a1ef9f6ba8cf4af298062369aa0a0d4e1069715
  • 2013f629eb39c967d3b7cf35f4f90c5704205faa96a1df8520c334fe44c625aa
  • 7773d517b5f3dda8db812f16f6b9a916e1a6aadb5b4a99ec98f9492547e72945
  • 23232211bb692367b59c2057cd931198821565dee963398d5fa2f0da92f4de21
  • 959269be199a17991ccf25d03f31a81bc5772673d7b8b6b680e102242dae0b35
  • 44d84faec91b8939d3998f33e3602fa0e0ad5247975bcbc42c2016bb9ebd5fc2
  • B2b16b16b63ab5f91e84e4bd84617cdd4c2657bb6cf2765c302db508805f46db
  • 08edf586451da1d374517d4c13489d40c675926a4026ba99204b9f2323ea6a69

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.