{"id":9475,"date":"2024-10-30T12:22:05","date_gmt":"2024-10-30T12:22:05","guid":{"rendered":"\/cybersecurity-blog\/?p=9475"},"modified":"2025-07-17T08:25:31","modified_gmt":"2025-07-17T08:25:31","slug":"packers-and-crypters-in-malware","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/packers-and-crypters-in-malware\/","title":{"rendered":"Packers and Crypters in Malware
and How to Remove Them"},"content":{"rendered":"\n

In this article, we\u2019ll explore the most common types of protectors\u2014packers and crypters\u2014along with simple ways to detect and remove them.  <\/p>\n\n\n\n

We\u2019ll also introduce some useful tools to simplify the process and improve your malware analysis skills. <\/p>\n\n\n\n

What Are Protectors and What Types Are There? <\/h2>\n\n\n\n

Protectors are tools designed to complicate code analysis, making it harder to detect and examine malware. Two of the most common types of protectors are packers<\/strong> and crypters<\/strong>. <\/p>\n\n\n\n

1. Packers <\/h3>\n\n\n\n

Packers are utilities that package one or more files into a single executable, often adding compression. This process makes static and dynamic detection more difficult, a tactic many types of malware exploit.  <\/p>\n\n\n\n

Certain malware, like those written in scripting languages (e.g., Python or JavaScript) or relying on non-standard libraries, require packing to function properly by including interpreters and necessary libraries. <\/p>\n\n\n\n

Classic examples of packers include installers like NSI and MSI, UPX, MPress, and self-extracting archives (SFX) made with tools like 7zip or WinRAR. <\/p>\n\n\n\n

Packers generally don\u2019t protect application data, making it relatively easy to extract them at runtime in a sandbox or remove the packer using static tools. <\/p>\n\n\n\n

2. Crypters<\/h3>\n\n\n\n

Crypters take protection a step further by encrypting the executable\u2019s contents, often adding layers of packing and obfuscation. Designed to obscure code, crypters make analysis more complex and time-consuming. Examples of crypters include NetReactor, Themida, and VmProtect. <\/p>\n\n\n\n

Main Protection Methods of Crypters:<\/strong> <\/p>\n\n\n\n

    \n
  1. Dynamic unpacking in memory to avoid leaving any disk trace. <\/li>\n<\/ol>\n\n\n\n
      \n
    1. Encryption of files, data, and code<\/strong>, with decryption at runtime. <\/li>\n<\/ol>\n\n\n\n
        \n
      1. Code Obfuscation<\/strong>: Changes the structure and sequence of instructions, transforming (meta)data into unreadable or meaningless characters. <\/li>\n<\/ol>\n\n\n\n
          \n
        1. Virtualization<\/strong>: Transforms code into pseudo-instructions that are either regenerated or interpreted at runtime. <\/li>\n<\/ol>\n\n\n\n

          Note that without virtualization, code is usually weakly protected and can often be restored to its original or near-original state. <\/p>\n\n\n\n

          Identifying Packers: Simple Techniques and Useful Tools <\/h2>\n\n\n\n

          Detecting packers can be simplified with a few straightforward techniques and specialized tools like\u00a0DIE (Detect It Easy)<\/strong>. DIE notifies users when a packer is detected, making it a quick solution for initial identification.\u00a0<\/p>\n\n\n\n

          Let’s consider the following sample<\/a>. When analyzing it with DIE v3.10, we can observe the presence of the MPRESS packer.\u00a0<\/p>\n\n\n

          \n
          \"\"
          The results of DIE analysis, revealing the packer MPRESS<\/em><\/figcaption><\/figure><\/div>\n\n\n

          Opening the sample in DIE reveals section names that indicate packing.\u00a0<\/p>\n\n\n

          \n
          \"\"
          Section demonstration in DIE with names MPRESS1\u00a0and\u00a0MPRESS2<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n

          Packers like UPX<\/strong> and MPRESS<\/strong> often create sections with distinctive names, such as MPRESS1 and MPRESS2, which help analysts identify their usage. <\/p>\n\n\n\n

          We can also examine PE (Portable Executable) information<\/strong> in the Static Discovering<\/strong> window inside ANY.RUN sandbox. This provides further details to help identify these packers and their specific characteristics. <\/p>\n\n\n\n

          Analysis of a sample with UPX sections<\/a> <\/p>\n\n\n

          \n
          \"\"
          Demonstration of UPX0 and UPX1 in Static Discovering section<\/em><\/figcaption><\/figure><\/div>\n\n\n

          We can identify UPX through section names. In certain cases, packers like VMProtect<\/strong> and Themida<\/strong> can also be identified by their distinct section names.<\/p>\n\n\n

          \n
          \"\"
          The <\/em>.vmp0<\/em><\/strong> section characteristic of <\/em>VMProtect<\/em><\/strong>.<\/em> <\/figcaption><\/figure><\/div>\n\n\n

          Sections, such as .vmp0, indicate VMProtect (see example<\/a>). <\/p>\n\n\n

          \n
          \"\"
          The .themida section characteristic of Themida <\/figcaption><\/figure><\/div>\n\n\n

          Sections, such as .themida or .taggant, signal the presence of Themida (see example<\/a>).<\/p>\n\n\n\n\n

          \n\n

          \nTry advanced malware analysis<\/span> with ANY.RUN for free \n<\/p>\n\n\nSign up now\n<\/a>\n<\/div>\n\n\n\n