• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Malware hidden ?

mike778

New Member
Joined
Feb 22, 2021
Messages
1 (0.01/day)
Can someone from Techpowerup tells me why GPU-Z is using Yoda's crypter ?

Win32 EXE Yoda's Crypter (37.3%)


I might be missing something, but for me there is only one reason to use a code crypter, hidding a malware.
If there is another reason I will be happy to know it.

This is not new, it has changed quite some time ago, I've never installed it since then.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
22,512 (3.58/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
First time I hear of Yoda's Crypter. I'm using UPX though to reduce the exe size

You can just unpack the EXE with upx -d

This is the EXE without UPX: https://www.virustotal.com/gui/file...84b9f5c508d253a935176431398fc90fa01e1/details

Guess Yoda's Crypter is a misdetection when UPX is used?

If I wanted to hide malware I would definitely run it through Virustotal first and tweak the executable until a decent result without any detections ;)
 

Gera of Belote

New Member
Joined
Feb 23, 2021
Messages
5 (0.03/day)
I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?
 

Attachments

  • 13a8d0899907bb0350a0cc7971919d7b565b8545f3110c2650b346accd97cb16.pdf
    122.8 KB · Views: 64

Gera of Belote

New Member
Joined
Feb 23, 2021
Messages
5 (0.03/day)
Verdict: This sample was determined to be malware.



Summary of behaviors observed during analysis:



- Created or modified a file in the Windows system folder

- Created or modified a file

- Started a process

- Modified the Windows Registry

- Created an executable file in a user folder

- Started a process from a user folder

- Created a device driver

- Created a hidden executable file

- Modified proxy settings for Internet Explorer

- Modified connections settings for Internet Explorer


- Installed a hook

- Started or stopped a Windows system service

- Attempted to sleep for a long period

- Sample registered a Graphical User Interface callback

- Dummy rule that should be fired on every PE sample

- Opened another process with full access

- Enumerated running processes

- Sent commands to a device driver

- Set hidden file attribute


- checks if a process is running in background

- Contains non-standard section names

- First section is writable

- Contains an unusual entry point

- Contains sections with zero raw size

- Contains sections with size discrepancies

- Contains sections with high entropy

- Contains a TLS section

- Contains overlay data

- Uses a known packer

- This PE file contains sections belong to known packers

- Contains sections with zero size

- Corrupted PE header

- Contains sections set to both writable and executable

- Matches a static analysis signature

- PE file with valid digital signature
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
22,512 (3.58/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I don't see anything in this report that would indicate it is malware, other than "Verdict Malware". Some of these techniques are slightly uncommon, but GPU-Z isn't your standard Windows program either

PLEASE reach out to your AV vendor and ask for clarification, they are the only ones who can help you get an answer, because they've designed their software to work in a certain way.

GPU-Z is definitely not malware, it is used by millions of users.

You can find the Virustotal result here: https://www.virustotal.com/gui/file...d7b565b8545f3110c2650b346accd97cb16/detection

Looks like Palo Alto has some homework to do, too, maybe your WilfFire AV used Palo Alto's scanning engine?

Maybe someone/group is unpacking the app and repackaging it with malware?
A great way to check if the file has been tampered with since I released it is to right click, properties, digital signatures and verify if the TPU digital signature is OK

 
Last edited:

OneMoar

There is Always Moar
Joined
Apr 9, 2010
Messages
8,141 (1.97/day)
Location
Rochester area
System Name RPC MK2
Processor Intel Core i5 9600K@ 4.8Ghz 1.32V
Motherboard Asrock z390 phantom gaming 4
Cooling Enermax ets-t50
Memory CMK16GX4M2B3000C15 16GB DDR4-3000
Video Card(s) EVGA GeForce RTX 2060 XC ULTRA GAMING
Storage 512GB Intel 545s ssd 500GB ADATA SU800 ssd 1TB WD blue
Display(s) Cheap VA panel
Case Phanteks P300
Audio Device(s) onboard
Power Supply HX 750i
Mouse M65 Pro RGB
Keyboard K70 RGB
Software Windows 10 +startisback
I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?
whatever software you are using is complete garbage please use a reputable Antimalware such as malware bytes of ESET do not come here with your red herrings thanks
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
17,069 (3.03/day)
Location
Piteå
System Name Black MC in Tokyo
Processor Ryzen 5 2600x
Motherboard Asrock B450M-HDV
Cooling AMD Wraith Spire I think
Memory 2 x 8GB G-skill Aegis 3000 or somesuch
Video Card(s) Gigabyte RTX 2060 Gaming OC Pro
Storage Kingston A400 240GB | WD Blue 1TB x 2 | Toshiba P300 2TB
Display(s) BenQ GL2450HT
Case Antec dumpster find
Audio Device(s) Line6 UX1 + some headphones
Power Supply Seasonic Core GC500
Mouse Logitech G602
Keyboard Dell Sk3205
VR HMD Acer Mixed Reality Headset
Software Windows 10 Pro
Benchmark Scores Desktop stable
I've had AV's throw false positives for plaintext files with a weird file ending.
 
D

Deleted member 205776

Guest
Third party AVs are a joke. GPU-Z is not malware.
 
Joined
Feb 23, 2019
Messages
2,748 (3.08/day)
Location
Poland
Processor Ryzen 7 3700X
Motherboard Gigabyte X570 Aorus Elite
Cooling BeQuiet Dark Rock 4
Memory 2x8 GB Crucial Ballistix Sport LT 3200 CL16 @ 3600 CL16
Video Card(s) EVGA 1060 6GB SSC
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) Acer XB273GP
Case SilverStone Primera PM01 RGB
Power Supply SeaSonic Focus Plus Gold 750W
Mouse SteelSeries Rival 300
Keyboard MK Typist (Kailh Box White)
Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.
 

OneMoar

There is Always Moar
Joined
Apr 9, 2010
Messages
8,141 (1.97/day)
Location
Rochester area
System Name RPC MK2
Processor Intel Core i5 9600K@ 4.8Ghz 1.32V
Motherboard Asrock z390 phantom gaming 4
Cooling Enermax ets-t50
Memory CMK16GX4M2B3000C15 16GB DDR4-3000
Video Card(s) EVGA GeForce RTX 2060 XC ULTRA GAMING
Storage 512GB Intel 545s ssd 500GB ADATA SU800 ssd 1TB WD blue
Display(s) Cheap VA panel
Case Phanteks P300
Audio Device(s) onboard
Power Supply HX 750i
Mouse M65 Pro RGB
Keyboard K70 RGB
Software Windows 10 +startisback
permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore
 
Joined
Aug 15, 2016
Messages
290 (0.16/day)
Processor Intel i7 4770k @ 4.5 GHz 1.294V
Motherboard ASUS Sabertooth Z87
Cooling Corsair H100i
Memory Patriot Viper 3 RedD 16 GB @ 1866 MHz
Video Card(s) XFX RX 480 GTR 8GB
Storage 1x SSD Samsung EVO 250 GB 1x HDD Seagate Barracuda 3 TB 1x HDD Seagate Barracuda 4 TB
Display(s) AOC Q27G2U QHD, Dell S2415H FHD
Case Cooler Master HAF XM
Audio Device(s) Magnat LZR 980, Razer BlackShark V2, Altec Lansing 251
Power Supply Corsair AX860
Mouse Razer DeathAdder V2
Keyboard Razer Huntsman Tournament Edition
Software Windows 10 Pro x64
You should also run the listed MD5 checksum after downloading files, especially from somewhere other than TPU. I've been using this for years for hash checks: http://code.kliu.org/hashcheck/
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
22,512 (3.58/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.

permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore

Nah he has a concern and was kind enough to make a thread here. This is exactly why we have these forums. GPU-Z is used by millions of people around the world with wildly varying tech skillsets, and I'm happy to answer any question, rather than not even know there's an issue that has people worried.
 

Gera of Belote

New Member
Joined
Feb 23, 2021
Messages
5 (0.03/day)
Thank you for the kind words W1zzard and others. My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.
 
Last edited:

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
16,667 (3.34/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) BenQ XL2720Z (144Hz, 3D Vision 2, 1080p) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
GPU-Z = epic. :cool:
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
22,512 (3.58/day)
Processor Core i7-8700K
Memory 32 GB
Video Card(s) RTX 3080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Thank you for the kind words W1zzard and others. My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.
Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe to upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"

Maybe that triggered the detection
 

Gera of Belote

New Member
Joined
Feb 23, 2021
Messages
5 (0.03/day)
Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe to upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"

Maybe that triggered the detection

Update from wildfire.paloaltonetworks.com regarding GPU-Z v2.37.0:

WildFire Update: Incorrect Verdict

SHA256: 13A8D0899907BB0350A0CC7971919D7B565B8545F3110C2650B346ACCD97CB16

Received Time: 2021-02-22 15:41:40 (UTC) Updated Time: 2021-02-23 20:58:16 (UTC)

After further review, the file was determined to be benign, and the signature for this file has been removed.

I have asked for the report from ArcticWolf Network Security Teams. Once I have it, I will post.
 
Joined
Jul 16, 2014
Messages
5,343 (2.08/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
for those curious about ArticWolf, en excerpt from their wiki

Arctic Wolf was founded in 2012 and has focused on providing managed security services to small and midmarket organizations.[3] The company was listed as a Gartner Cool Vendor in security for mid sized enterprises in June 2018. In 2019 and again in 2020, the company was named to the Deloitte Fast 500 list of fast-growing companies.

not your average home AV software
 

Gera of Belote

New Member
Joined
Feb 23, 2021
Messages
5 (0.03/day)
For those curious about Palo Alto Networks, an excerpt from Wikipedia:

Palo Alto Networks, Inc. (NYSE: PANW) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]
 
Joined
Sep 10, 2016
Messages
733 (0.41/day)
Location
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 7 3700x @stock ~4.25GHz boost speed | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling BQ Dark Rock Slim, BQ shadow wings 3 High Spd, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Trident 2x8GB 3600MHz 14-15-16-30 | 2x4GB 2000MHz @1866
Video Card(s) Gigabyte GTX 1080ti Aorus Xtreme Edition | MSI LP GT 1030
Storage SX8200 Pro 1TB, 850EVO 500GB, 2 & 8TB Seagate Barracuda, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | Sammy 1080p 55" TV
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, HD 599 cans | Logitech z163's
Power Supply Corsair RMx 550 | Corsair SF 450
Mouse GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
Keyboard Rapoo v56 | Some logitech one
VR HMD HTC Vive
Software Win 10 Edu | Ubuntu 20.04
Benchmark Scores Look in the various benchmark threads
I've had AV's throw false positives for plaintext files with a weird file ending.
I had major issues with a version of Aurora 4x for similar reasons
 
Joined
Aug 20, 2007
Messages
15,697 (3.08/day)
System Name Pioneer
Processor Ryzen R7 5800X
Motherboard GIGABYTE Aorus Elite X570
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL Ripjaws V Series 64GB (4 x 16GB) DDR4-3200
Video Card(s) EVGA GeForce RTX 3070 FTW3
Storage 2x Mushkin Pilot-E 2TB NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply Seasonic Prime Titanium 750W
Mouse Razer Deathadder v2
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (Product of work, yes it's legit)
Benchmark Scores www.3dmark.com/fs/25631365 www.3dmark.com/spy/20539287 www.3dmark.com/pr/1054199
Heck, my open source mod got flagged as malware the other day by Windows Defender. Despite the fact I literally publish the source.

False positives happen.
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
17,069 (3.03/day)
Location
Piteå
System Name Black MC in Tokyo
Processor Ryzen 5 2600x
Motherboard Asrock B450M-HDV
Cooling AMD Wraith Spire I think
Memory 2 x 8GB G-skill Aegis 3000 or somesuch
Video Card(s) Gigabyte RTX 2060 Gaming OC Pro
Storage Kingston A400 240GB | WD Blue 1TB x 2 | Toshiba P300 2TB
Display(s) BenQ GL2450HT
Case Antec dumpster find
Audio Device(s) Line6 UX1 + some headphones
Power Supply Seasonic Core GC500
Mouse Logitech G602
Keyboard Dell Sk3205
VR HMD Acer Mixed Reality Headset
Software Windows 10 Pro
Benchmark Scores Desktop stable
I had major issues with a version of Aurora 4x for similar reasons

1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.
 
Last edited:
Joined
Dec 29, 2010
Messages
2,277 (0.59/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1300 G2
Mouse Logitech G600
Keyboard Corsair K95
It's called a false positive...
 
Joined
Sep 10, 2016
Messages
733 (0.41/day)
Location
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 7 3700x @stock ~4.25GHz boost speed | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling BQ Dark Rock Slim, BQ shadow wings 3 High Spd, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Trident 2x8GB 3600MHz 14-15-16-30 | 2x4GB 2000MHz @1866
Video Card(s) Gigabyte GTX 1080ti Aorus Xtreme Edition | MSI LP GT 1030
Storage SX8200 Pro 1TB, 850EVO 500GB, 2 & 8TB Seagate Barracuda, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | Sammy 1080p 55" TV
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, HD 599 cans | Logitech z163's
Power Supply Corsair RMx 550 | Corsair SF 450
Mouse GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
Keyboard Rapoo v56 | Some logitech one
VR HMD HTC Vive
Software Win 10 Edu | Ubuntu 20.04
Benchmark Scores Look in the various benchmark threads
1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.
Haha thanks, I will say that I still very much struggle with that game.
I never did find out what the exact issue was(I don't have the knowledge to work it out), I just told the windows defender to leave it alone and it was fine after that
 
Joined
Feb 23, 2019
Messages
2,748 (3.08/day)
Location
Poland
Processor Ryzen 7 3700X
Motherboard Gigabyte X570 Aorus Elite
Cooling BeQuiet Dark Rock 4
Memory 2x8 GB Crucial Ballistix Sport LT 3200 CL16 @ 3600 CL16
Video Card(s) EVGA 1060 6GB SSC
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) Acer XB273GP
Case SilverStone Primera PM01 RGB
Power Supply SeaSonic Focus Plus Gold 750W
Mouse SteelSeries Rival 300
Keyboard MK Typist (Kailh Box White)
For those curious about Palo Alto Networks, an excerpt from Wikipedia:

Palo Alto Networks, Inc. (NYSE: PANW) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]
How about next time introduce yourself if you represent some company.
 
Top