Packers are often used to hide the functionality of executable files from unwanted observers. This can be done for legitimate purposes, such as protecting your intellectual property, but also for malicious purposes; for example, hiding malicious content from security products. Hiding malicious contents in packers are usually not available on company’s website but on hacking forums and not so open for the public.
NTCrypt, sold on hacking forums and web sites are generally created for malicious purposes. ReversingLabs used their own product to try to search for it on the Internet. One sample they found had “Only for malicious use!” within the version info of the binary. Most of the samples the tool discovered were PE types (compiled executables). They did come across one that was a PE/.NET type. Tracking it, they encountered videos taken of the packer in use. While the PE versions appeared to execute without any visible outcome, the PE/.NET version actually presented a user interface. This allowed them to experiment with the interface and see how NTCrypt functions.
Hiding malicious content