Malware hidden ?

[mike778]

Can someone from Techpowerup tells me why GPU-Z is using Yoda's crypter ?

Win32 EXE Yoda's Crypter (37.3%)

VirusTotal

VirusTotal

www.virustotal.com

I might be missing something, but for me there is only one reason to use a code crypter, hidding a malware.
If there is another reason I will be happy to know it.

This is not new, it has changed quite some time ago, I've never installed it since then.

 

[W1zzard]

First time I hear of Yoda's Crypter. I'm using UPX though to reduce the exe size

You can just unpack the EXE with upx -d

This is the EXE without UPX: https://www.virustotal.com/gui/file...84b9f5c508d253a935176431398fc90fa01e1/details

Guess Yoda's Crypter is a misdetection when UPX is used?

If I wanted to hide malware I would definitely run it through Virustotal first and tweak the executable until a decent result without any detections

 

[Gera of Belote]

I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?

 

[Gera of Belote]

Verdict: This sample was determined to be malware.



Summary of behaviors observed during analysis:



- Created or modified a file in the Windows system folder

- Created or modified a file

- Started a process

- Modified the Windows Registry

- Created an executable file in a user folder

- Started a process from a user folder

- Created a device driver

- Created a hidden executable file

- Modified proxy settings for Internet Explorer

- Modified connections settings for Internet Explorer

- Installed a hook

- Started or stopped a Windows system service

- Attempted to sleep for a long period

- Sample registered a Graphical User Interface callback

- Dummy rule that should be fired on every PE sample

- Opened another process with full access

- Enumerated running processes

- Sent commands to a device driver

- Set hidden file attribute

- checks if a process is running in background

- Contains non-standard section names

- First section is writable

- Contains an unusual entry point

- Contains sections with zero raw size

- Contains sections with size discrepancies

- Contains sections with high entropy

- Contains a TLS section

- Contains overlay data

- Uses a known packer

- This PE file contains sections belong to known packers

- Contains sections with zero size

- Corrupted PE header

- Contains sections set to both writable and executable

- Matches a static analysis signature

- PE file with valid digital signature

 

[W1zzard]

I don't see anything in this report that would indicate it is malware, other than "Verdict Malware". Some of these techniques are slightly uncommon, but GPU-Z isn't your standard Windows program either

PLEASE reach out to your AV vendor and ask for clarification, they are the only ones who can help you get an answer, because they've designed their software to work in a certain way.

GPU-Z is definitely not malware, it is used by millions of users.

You can find the Virustotal result here: https://www.virustotal.com/gui/file...d7b565b8545f3110c2650b346accd97cb16/detection

Looks like Palo Alto has some homework to do, too, maybe your WilfFire AV used Palo Alto's scanning engine?

Maybe someone/group is unpacking the app and repackaging it with malware?

A great way to check if the file has been tampered with since I released it is to right click, properties, digital signatures and verify if the TPU digital signature is OK

 

[OneMoar]

I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?

whatever software you are using is complete garbage please use a reputable Antimalware such as malware bytes of ESET do not come here with your red herrings thanks

 

[Frick]

I've had AV's throw false positives for plaintext files with a weird file ending.

 

[Deleted member 205776]

Third party AVs are a joke. GPU-Z is not malware.

 

[Chomiq]

Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.

 

[OneMoar]

permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore

 

[Deleted member 205776]

Yoda's Crypter

 

[Night]

You should also run the listed MD5 checksum after downloading files, especially from somewhere other than TPU. I've been using this for years for hash checks: http://code.kliu.org/hashcheck/

 

[W1zzard]

Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.

permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore

Nah he has a concern and was kind enough to make a thread here. This is exactly why we have these forums. GPU-Z is used by millions of people around the world with wildly varying tech skillsets, and I'm happy to answer any question, rather than not even know there's an issue that has people worried.

 

[Gera of Belote]

Thank you for the kind words W1zzard and others. My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.

 

[qubit]

GPU-Z = epic.

 

[W1zzard]

Thank you for the kind words W1zzard and others. My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.

Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe to upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"

Maybe that triggered the detection

 

[Gera of Belote]

Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe to upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"

Maybe that triggered the detection

Update from wildfire.paloaltonetworks.com regarding GPU-Z v2.37.0:

WildFire Update: Incorrect Verdict

SHA256: 13A8D0899907BB0350A0CC7971919D7B565B8545F3110C2650B346ACCD97CB16

Received Time: 2021-02-22 15:41:40 (UTC) Updated Time: 2021-02-23 20:58:16 (UTC)

After further review, the file was determined to be benign, and the signature for this file has been removed.

I have asked for the report from ArcticWolf Network Security Teams. Once I have it, I will post.

 

[DeathtoGnomes]

for those curious about ArticWolf, en excerpt from their wiki

Arctic Wolf was founded in 2012 and has focused on providing managed security services to small and midmarket organizations.[3] The company was listed as a Gartner Cool Vendor in security for mid sized enterprises in June 2018. In 2019 and again in 2020, the company was named to the Deloitte Fast 500 list of fast-growing companies.

not your average home AV software

 

[Gera of Belote]

For those curious about Palo Alto Networks, an excerpt from Wikipedia:

Palo Alto Networks, Inc. (NYSE: PANW) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]

 

[Nuckles56]

I've had AV's throw false positives for plaintext files with a weird file ending.

I had major issues with a version of Aurora 4x for similar reasons

 

[R-T-B]

Heck, my open source mod got flagged as malware the other day by Windows Defender. Despite the fact I literally publish the source.

False positives happen.

 

[Frick]

I had major issues with a version of Aurora 4x for similar reasons

1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.

 

[thesmokingman]

It's called a false positive...

 

[Nuckles56]

1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.

Haha thanks, I will say that I still very much struggle with that game.
I never did find out what the exact issue was(I don't have the knowledge to work it out), I just told the windows defender to leave it alone and it was fine after that

 

[Chomiq]

For those curious about Palo Alto Networks, an excerpt from Wikipedia:

Palo Alto Networks, Inc. (NYSE: PANW) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]

How about next time introduce yourself if you represent some company.