Malware hidden ?

mike778 · Feb 22, 2021

Can someone from Techpowerup tells me why GPU-Z is using Yoda's crypter ?

Win32 EXE Yoda's Crypter (37.3%)

VirusTotal

www.virustotal.com

I might be missing something, but for me there is only one reason to use a code crypter, hidding a malware.
If there is another reason I will be happy to know it.

This is not new, it has changed quite some time ago, I've never installed it since then.

W1zzard · Feb 22, 2021

First time I hear of Yoda's Crypter. I'm using UPX though to reduce the exe size

You can just unpack the EXE with upx -d

This is the EXE without UPX: https://www.virustotal.com/gui/file...84b9f5c508d253a935176431398fc90fa01e1/details

Guess Yoda's Crypter is a misdetection when UPX is used?

If I wanted to hide malware I would definitely run it through Virustotal first and tweak the executable until a decent result without any detections

Gera of Belote · Feb 23, 2021

I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?

Gera of Belote · Feb 23, 2021

Verdict: This sample was determined to be malware.

Summary of behaviors observed during analysis:

- Created or modified a file in the Windows system folder

- Created or modified a file

- Started a process

- Modified the Windows Registry

- Created an executable file in a user folder

- Started a process from a user folder

- Created a device driver

- Created a hidden executable file

- Modified proxy settings for Internet Explorer

- Modified connections settings for Internet Explorer

- Installed a hook

- Started or stopped a Windows system service

- Attempted to sleep for a long period

- Sample registered a Graphical User Interface callback

- Dummy rule that should be fired on every PE sample

- Opened another process with full access

- Enumerated running processes

- Sent commands to a device driver

- Set hidden file attribute

- checks if a process is running in background

- Contains non-standard section names

- First section is writable

- Contains an unusual entry point

- Contains sections with zero raw size

- Contains sections with size discrepancies

- Contains sections with high entropy

- Contains a TLS section

- Contains overlay data

- Uses a known packer

- This PE file contains sections belong to known packers

- Contains sections with zero size

- Corrupted PE header

- Contains sections set to both writable and executable

- Matches a static analysis signature

- PE file with valid digital signature

W1zzard · Feb 23, 2021

I don't see anything in this report that would indicate it is malware, other than "Verdict Malware". Some of these techniques are slightly uncommon, but GPU-Z isn't your standard Windows program either

PLEASE reach out to your AV vendor and ask for clarification, they are the only ones who can help you get an answer, because they've designed their software to work in a certain way.

GPU-Z is definitely not malware, it is used by millions of users.

You can find the Virustotal result here: https://www.virustotal.com/gui/file...d7b565b8545f3110c2650b346accd97cb16/detection

Looks like Palo Alto has some homework to do, too, maybe your WilfFire AV used Palo Alto's scanning engine?

Gera of Belote said:
Maybe someone/group is unpacking the app and repackaging it with malware?

A great way to check if the file has been tampered with since I released it is to right click, properties, digital signatures and verify if the TPU digital signature is OK

OneMoar · Feb 23, 2021

Gera of Belote said:
I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?

whatever software you are using is complete garbage please use a reputable Antimalware such as malware bytes of ESET do not come here with your red herrings thanks

Frick · Feb 23, 2021

I've had AV's throw false positives for plaintext files with a weird file ending.

Deleted member 205776 · Feb 23, 2021

Third party AVs are a joke. GPU-Z is not malware.

Chomiq · Feb 23, 2021

Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.

OneMoar · Feb 23, 2021

permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore

Deleted member 205776 · Feb 23, 2021

mike778 said:
Yoda's Crypter

Night · Feb 23, 2021

You should also run the listed MD5 checksum after downloading files, especially from somewhere other than TPU. I've been using this for years for hash checks: http://code.kliu.org/hashcheck/

W1zzard · Feb 23, 2021

Chomiq said:
Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.

OneMoar said:
permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore

Nah he has a concern and was kind enough to make a thread here. This is exactly why we have these forums. GPU-Z is used by millions of people around the world with wildly varying tech skillsets, and I'm happy to answer any question, rather than not even know there's an issue that has people worried.

Gera of Belote · Feb 23, 2021

Thank you for the kind words W1zzard and others. My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.

qubit · Feb 23, 2021

GPU-Z = epic. :cool:

W1zzard · Feb 23, 2021

Gera of Belote said:
Thank you for the kind words W1zzard and others. My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.

Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe to upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"

Maybe that triggered the detection

Gera of Belote · Feb 23, 2021

W1zzard said:
Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe to upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"

Maybe that triggered the detection

Update from wildfire.paloaltonetworks.com regarding GPU-Z v2.37.0:

WildFire Update: Incorrect Verdict

SHA256: 13A8D0899907BB0350A0CC7971919D7B565B8545F3110C2650B346ACCD97CB16

Received Time: 2021-02-22 15:41:40 (UTC) Updated Time: 2021-02-23 20:58:16 (UTC)

After further review, the file was determined to be benign, and the signature for this file has been removed.

I have asked for the report from ArcticWolf Network Security Teams. Once I have it, I will post.

DeathtoGnomes · Feb 23, 2021

for those curious about ArticWolf, en excerpt from their wiki

Arctic Wolf was founded in 2012 and has focused on providing managed security services to small and midmarket organizations.[3] The company was listed as a Gartner Cool Vendor in security for mid sized enterprises in June 2018. In 2019 and again in 2020, the company was named to the Deloitte Fast 500 list of fast-growing companies.

not your average home AV software

Gera of Belote · Feb 24, 2021

For those curious about Palo Alto Networks, an excerpt from Wikipedia:

Palo Alto Networks, Inc. (NYSE: PANW) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]

Nuckles56 · Feb 24, 2021

Frick said:
I've had AV's throw false positives for plaintext files with a weird file ending.

I had major issues with a version of Aurora 4x for similar reasons

R-T-B · Feb 24, 2021

Heck, my open source mod got flagged as malware the other day by Windows Defender. Despite the fact I literally publish the source.

False positives happen.

Frick · Feb 24, 2021

Nuckles56 said:
I had major issues with a version of Aurora 4x for similar reasons

1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.

thesmokingman · Feb 24, 2021

It's called a false positive...

Nuckles56 · Feb 24, 2021

Frick said:
1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.

Haha thanks, I will say that I still very much struggle with that game.
I never did find out what the exact issue was(I don't have the knowledge to work it out), I just told the windows defender to leave it alone and it was fine after that

Chomiq · Feb 24, 2021

Gera of Belote said:
For those curious about Palo Alto Networks, an excerpt from Wikipedia:

Palo Alto Networks, Inc. (NYSE: PANW) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]

How about next time introduce yourself if you represent some company.

Processor	Ryzen 7 5700X
Memory	48 GB
Video Card(s)	RTX 4080
Storage	2x HDD RAID 1, 3x M.2 NVMe
Display(s)	30" 2560x1600 + 19" 1280x1024
Software	Windows 10 64-bit

Processor	Ryzen 7 5700X
Memory	48 GB
Video Card(s)	RTX 4080
Storage	2x HDD RAID 1, 3x M.2 NVMe
Display(s)	30" 2560x1600 + 19" 1280x1024
Software	Windows 10 64-bit

System Name	RPC MK2.5
Processor	Ryzen 5800x
Motherboard	Gigabyte Aorus Pro V2
Cooling	Thermalright Phantom Spirit SE
Memory	CL16 BL2K16G36C16U4RL 3600 1:1 micron e-die
Video Card(s)	GIGABYTE RTX 3070 Ti GAMING OC
Storage	Nextorage NE1N 2TB ADATA SX8200PRO NVME 512GB, Intel 545s 500GBSSD, ADATA SU800 SSD, 3TB Spinner
Display(s)	LG Ultra Gear 32 1440p 165hz Dell 1440p 75hz
Case	Phanteks P300 /w 300A front panel conversion
Audio Device(s)	onboard
Power Supply	SeaSonic Focus+ Platinum 750W
Mouse	Kone burst Pro
Keyboard	SteelSeries Apex 7
Software	Windows 11 +startisallback

System Name	Black MC in Tokyo
Processor	Ryzen 5 7600
Motherboard	MSI X670E Gaming Plus Wifi
Cooling	Be Quiet! Pure Rock 2
Memory	2 x 16GB Corsair Vengeance @ 6000Mhz
Video Card(s)	XFX 6950XT Speedster MERC 319
Storage	Kingston KC3000 1TB \| WD Black SN750 2TB \|WD Blue 1TB x 2 \| Toshiba P300 2TB \| Seagate Expansion 8TB
Display(s)	Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case	Fractal Design Define R4
Audio Device(s)	AuraSound AS42 Soundbar \| Plantronics 5220 \| Sony WH-1000XM3 \| Nektar SE61 \| Behringer XR18
Power Supply	Corsair RM850x v3
Mouse	Logitech G602
Keyboard	Dell SK3205
Software	Windows 10 Pro
Benchmark Scores	Rimworld 4K ready!

Processor	Ryzen 7 5800X3D
Motherboard	Gigabyte X570 Aorus Elite
Cooling	Thermalright Phantom Spirit 120 SE
Memory	2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3600 CL14
Video Card(s)	RTX3080 Ti FE
Storage	SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s)	LG 34GN850P-B
Case	SilverStone Primera PM01 RGB
Audio Device(s)	SoundBlaster G6 \| Fidelio X2 \| Sennheiser 6XX
Power Supply	SeaSonic Focus Plus Gold 750W
Mouse	Endgame Gear XM1R
Keyboard	Wooting Two HE

Processor	Intel i7 4770k
Motherboard	ASUS Sabertooth Z87
Cooling	BeQuiet! Shadow Rock 3
Memory	Patriot Viper 3 RedD 16 GB @ 1866 MHz
Video Card(s)	XFX RX 480 GTR 8GB
Storage	1x SSD Samsung EVO 250 GB 1x HDD Seagate Barracuda 3 TB 1x HDD Seagate Barracuda 4 TB
Display(s)	AOC Q27G2U QHD, Dell S2415H FHD
Case	Cooler Master HAF XM
Audio Device(s)	Magnat LZR 980, Razer BlackShark V2, Altec Lansing 251
Power Supply	Corsair AX860
Mouse	Razer DeathAdder V2
Keyboard	Razer Huntsman Tournament Edition
Software	Windows 10 Pro x64

System Name	Quantumville™
Processor	Intel Core i7-2700K @ 4GHz
Motherboard	Asus P8Z68-V PRO/GEN3
Cooling	Noctua NH-D14
Memory	16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s)	MSI RTX 2080 SUPER Gaming X Trio
Storage	Samsung 850 Pro 256GB \| WD Black 4TB \| WD Blue 6TB
Display(s)	ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) \| Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case	Cooler Master HAF 922
Audio Device(s)	Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply	Corsair AX1600i
Mouse	Microsoft Intellimouse Pro - Black Shadow
Keyboard	Yes
Software	Windows 10 Pro 64-bit

System Name	Dumbass
Processor	AMD Ryzen 7800X3D
Motherboard	ASUS TUF gaming B650
Cooling	Artic Liquid Freezer 2 - 420mm
Memory	G.Skill Sniper 32gb DDR5 6000
Video Card(s)	GreenTeam 4070 ti super 16gb
Storage	Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s)	1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case	Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s)	onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply	Corsair HX1000i
Mouse	Steeseries Esports Wireless
Keyboard	Corsair K100
Software	windows 10 H
Benchmark Scores	https://i.imgur.com/aoz3vWY.jpg?2

System Name	Storm Wrought \| Blackwood (HTPC)
Processor	AMD Ryzen 9 5900x @stock \| i7 2600k
Motherboard	Gigabyte X570 Aorus Pro WIFI m-ITX \| Some POS gigabyte board
Cooling	Deepcool AK620, BQ shadow wings 3 High Spd, stock 180mm \|BQ Shadow rock LP + 4x120mm Noctua redux
Memory	G.Skill Ripjaws V 2x32GB 4000MHz \| 2x4GB 2000MHz @1866
Video Card(s)	Powercolor RX 6800XT Red Dragon \| PNY a2000 6GB
Storage	SX8200 Pro 1TB, 1TB KC3000, 850EVO 500GB, 2+8TB Seagate, LG Blu-ray \| 120GB Sandisk SSD, 4TB WD red
Display(s)	Samsung UJ590UDE 32" UHD monitor \| LG CS 55" OLED
Case	Silverstone TJ08B-E \| Custom built wooden case (Aus native timbers)
Audio Device(s)	Onboard, Sennheiser HD 599 cans / Logitech z163's \| Edifier S2000 MKIII via toslink
Power Supply	Corsair HX 750 \| Corsair SF 450
Mouse	Microsoft Pro Intellimouse\| Some logitech one
Keyboard	GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps\| Some logitech one
VR HMD	HTC Vive
Software	Win 10 Edu \| Ubuntu 22.04
Benchmark Scores	Look in the various benchmark threads

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6200(Running 1T no GDM)
Video Card(s)	PNY RTX 5080 OC
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

Processor	AMD 5900x
Motherboard	Asus x570 Strix-E
Cooling	Hardware Labs
Memory	G.Skill 4000c17 2x16gb
Video Card(s)	RTX 3090
Storage	Sabrent
Display(s)	Samsung G9
Case	Phanteks 719
Audio Device(s)	Fiio K5 Pro
Power Supply	EVGA 1000 P2
Mouse	Logitech G600
Keyboard	Corsair K95

Malware hidden ?

New Member

Administrator

New Member

Attachments

New Member

Administrator

There is Always Moar

Fishfaced Nincompoop

Deleted member 205776

Guest

There is Always Moar

Deleted member 205776

Guest

Administrator

New Member

Overclocked quantum bit

Administrator

New Member

New Member

Fishfaced Nincompoop