# Malware hidden ?



## mike778 (Feb 22, 2021)

Can someone from Techpowerup tells me why GPU-Z is using Yoda's crypter ?

Win32 EXE Yoda's Crypter (37.3%)                






						VirusTotal
					

VirusTotal




					www.virustotal.com
				




I might be missing something, but for me there is only one reason to use a code crypter, hidding a malware.
If there is another reason I will be happy to know it.

This is not new, it has changed quite some time ago, I've never installed it since then.


----------



## W1zzard (Feb 22, 2021)

First time I hear of Yoda's Crypter. I'm using UPX though to reduce the exe size

You can just unpack the EXE with upx -d

This is the EXE without UPX: https://www.virustotal.com/gui/file...84b9f5c508d253a935176431398fc90fa01e1/details

Guess Yoda's Crypter is a misdetection when UPX is used?

If I wanted to hide malware I would definitely run it through Virustotal first and tweak the executable until a decent result without any detections


----------



## Gera of Belote (Feb 23, 2021)

I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?


----------



## Gera of Belote (Feb 23, 2021)

Verdict: This sample was determined to be malware.



*Summary of behaviors observed during analysis:*



- Created or modified a file in the Windows system folder

- Created or modified a file

- Started a process

- Modified the Windows Registry

- Created an executable file in a user folder

- Started a process from a user folder

* - Created a device driver

- Created a hidden executable file

- Modified proxy settings for Internet Explorer

- Modified connections settings for Internet Explorer*

- Installed a hook

- Started or stopped a Windows system service

- Attempted to sleep for a long period

- Sample registered a Graphical User Interface callback

- Dummy rule that should be fired on every PE sample

- Opened another process with full access

* - Enumerated running processes

- Sent commands to a device driver

- Set hidden file attribute*

- checks if a process is running in background

- Contains non-standard section names

- First section is writable

- Contains an unusual entry point

- Contains sections with zero raw size

- Contains sections with size discrepancies

- Contains sections with high entropy

- Contains a TLS section

- Contains overlay data

- Uses a known packer

- This PE file contains sections belong to known packers

- Contains sections with zero size

- Corrupted PE header

- Contains sections set to both writable and executable

- Matches a static analysis signature

- PE file with valid digital signature


----------



## W1zzard (Feb 23, 2021)

I don't see anything in this report that would indicate it is malware, other than "Verdict Malware". Some of these techniques are slightly uncommon, but GPU-Z isn't your standard Windows program either

PLEASE reach out to your AV vendor and ask for clarification, they are the only ones who can help you get an answer, because they've designed their software to work in a certain way.

GPU-Z is definitely not malware, it is used by millions of users.

You can find the Virustotal result here: https://www.virustotal.com/gui/file...d7b565b8545f3110c2650b346accd97cb16/detection

Looks like Palo Alto has some homework to do, too, maybe your WilfFire AV used Palo Alto's scanning engine?



Gera of Belote said:


> Maybe someone/group is unpacking the app and repackaging it with malware?


A great way to check if the file has been tampered with since I released it is to right click, properties, digital signatures and verify if the TPU digital signature is OK


----------



## OneMoar (Feb 23, 2021)

Gera of Belote said:


> I downloaded 2.37 yesterday from US-4 mirror, and our surveillance software and hardware found huge problems with it. Maybe someone/group is unpacking the app and repackaging it with malware? Can the staff at Techpowerup investigate?


whatever software you are using is complete garbage please use a reputable Antimalware such as malware bytes of ESET do not come here with your red herrings thanks


----------



## Frick (Feb 23, 2021)

I've had AV's throw false positives for plaintext files with a weird file ending.


----------



## Deleted member 205776 (Feb 23, 2021)

Third party AVs are a joke. GPU-Z is not malware.


----------



## Chomiq (Feb 23, 2021)

Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.


----------



## OneMoar (Feb 23, 2021)

permabans for the both of them don't give these morons the time of day
we got enough morons on tpu we don't need anymore


----------



## Deleted member 205776 (Feb 23, 2021)

mike778 said:


> Yoda's Crypter


----------



## Night (Feb 23, 2021)

You should also run the listed MD5 checksum after downloading files, especially from somewhere other than TPU. I've been using this for years for hash checks: http://code.kliu.org/hashcheck/


----------



## W1zzard (Feb 23, 2021)

Chomiq said:


> Brand new user pops up with "AV detected malware in GPU-Z", another brand new user pops up with "AV analysis showing malware detected" and a .pdf file. Totally not a bait.





OneMoar said:


> permabans for the both of them don't give these morons the time of day
> we got enough morons on tpu we don't need anymore



Nah he has a concern and was kind enough to make a thread here. This is exactly why we have these forums. GPU-Z is used by millions of people around the world with wildly varying tech skillsets, and I'm happy to answer any question, rather than not even know there's an issue that has people worried.


----------



## Gera of Belote (Feb 23, 2021)

Thank you for the kind words W1zzard and others.  My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.


----------



## qubit (Feb 23, 2021)

GPU-Z = epic.


----------



## W1zzard (Feb 23, 2021)

Gera of Belote said:


> Thank you for the kind words W1zzard and others.  My team and I got off a Zoom meeting with Arctic Wolf regarding GPU-Z v2.37.0.exe. Arctic Wolf reviewed with us some of the files and file changes, the registry changes, the IE changes, etc., and so far it seems benign; there was some unusual behavior, but it was benign. Our security vendor and our team tested a few previous versions of GPU-Z, and they did not exhibit the unusual behaviors of v2.37 that got flagged by our security hardware and software. Arctic Wolf will issue us a report on the analysis in a few days, and I will share the report to this forum.


Thanks! Much appreciated.

For this build I changed the UPX compression parameters to reduce EXE size even further, from _upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe_ to _upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"_

Maybe that triggered the detection


----------



## Gera of Belote (Feb 23, 2021)

W1zzard said:


> Thanks! Much appreciated.
> 
> For this build I changed the UPX compression parameters to reduce EXE size even further, from _upx.exe --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe_ to _upx.exe --best --crp-ms=999999 --lzma --keep-resource=16,14,3 "$(OutDir)$(ProjectName).exe"_
> 
> Maybe that triggered the detection



Update from wildfire.paloaltonetworks.com regarding GPU-Z v2.37.0:

WildFire Update:  Incorrect Verdict

SHA256: 13A8D0899907BB0350A0CC7971919D7B565B8545F3110C2650B346ACCD97CB16

Received Time: 2021-02-22 15:41:40 (UTC) Updated Time: 2021-02-23 20:58:16 (UTC)

After further review, the file was determined to be benign, and the signature for this file has been removed.

I have asked for the report from ArcticWolf Network Security Teams. Once I have it, I will post.


----------



## DeathtoGnomes (Feb 23, 2021)

for those curious about ArticWolf, en excerpt from their wiki



> Arctic Wolf was founded in 2012 and has focused on providing managed security services to small and midmarket organizations.[3] The company was listed as a Gartner Cool Vendor in security for mid sized enterprises in June 2018. In 2019 and again in 2020, the company was named to the Deloitte Fast 500 list of fast-growing companies.



not your average home AV software


----------



## Gera of Belote (Feb 24, 2021)

For those curious about Palo Alto Networks, an excerpt from Wikipedia:

*Palo Alto Networks, Inc.* (NYSE: *PANW*) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]

In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]


----------



## Nuckles56 (Feb 24, 2021)

Frick said:


> I've had AV's throw false positives for plaintext files with a weird file ending.


I had major issues with a version of Aurora 4x for similar reasons


----------



## R-T-B (Feb 24, 2021)

Heck, my open source mod got flagged as malware the other day by Windows Defender.  Despite the fact I literally publish the source.

False positives happen.


----------



## Frick (Feb 24, 2021)

Nuckles56 said:


> I had major issues with a version of Aurora 4x for similar reasons



1. You are a top tier person.
2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.


----------



## thesmokingman (Feb 24, 2021)

It's called a false positive...


----------



## Nuckles56 (Feb 24, 2021)

Frick said:


> 1. You are a top tier person.
> 2. I assume it was the wrapper that was the problem? That thing has all kinds of weirdness to it.


Haha thanks, I will say that I still very much struggle with that game.
I never did find out what the exact issue was(I don't have the knowledge to work it out), I just told the windows defender to leave it alone and it was fine after that


----------



## Chomiq (Feb 24, 2021)

Gera of Belote said:


> For those curious about Palo Alto Networks, an excerpt from Wikipedia:
> 
> *Palo Alto Networks, Inc.* (NYSE: *PANW*) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]
> 
> In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]


How about next time introduce yourself if you represent some company.


----------



## Naki (Feb 25, 2021)

DeathtoGnomes said:


> for those curious about ArticWolf, en excerpt from their wiki
> 
> 
> 
> not your average home AV software



And this means they cannot be incompetent how exactly..?


----------



## DeathtoGnomes (Feb 25, 2021)

Naki said:


> And this means they cannot be incompetent how exactly..?


thats a good question. How?


----------



## Hardcore Games (Mar 12, 2021)

false positives are all too common


----------



## thesmokingman (Mar 12, 2021)

DeathtoGnomes said:


> thats a good question. How?


By making a thread such as this... lol

Reminds me of the sillyness years ago with the physx mod.






						Hybrid PhysX Mod Package Contained Trojan
					

It has come to our attention that the Hybrid PhysX Mod from NGOHQ.com posted earlier this month contained the Infostealer.Gampass trojan. According to Symantec, Infostealer.Gampass specifically targets video game credentials, log-ins and passwords. I would recommend uninstalling this and doing a...




					hardforum.com
				




Who can forget this morsel?



> We do take responsibility for posting it.  We have notified our readers, apologized, and removed previous links.  Suggesting otherwise is simply being uninformed and not reading our post.
> 
> NGOHQ will never again see a link on HardOCP and within a few days, the name will be banned from being typed here at all.  The only reason it is not right now is so that it can be discussed easily.


----------



## jboydgolfer (Mar 12, 2021)

Gera of Belote said:


> For those curious about Palo Alto Networks, an excerpt from Wikipedia:
> 
> *Palo Alto Networks, Inc.* (NYSE: *PANW*) is an American multinational cybersecurity company with headquarters in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100.[6] It is home to the Unit 42 threat research team[7] and hosts the Ignite cybersecurity conference.[8]
> 
> In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100.[9] In June 2018, former Google and SoftBank executive Nikesh Arora joined the company as Chairman and CEO.[10]


my names jon. i drivse a Mercedes , & im very smaurt


----------



## Naki (Mar 12, 2021)

DeathtoGnomes said:


> thats a good question. How?


I think it goes like this -- small companies are smally (not really a word?  or maybe arhaic) incompetent, medium ones are mediumly so, and huge corporations are hugely incompetent -- correct?


----------



## Deleted member 205776 (Mar 15, 2021)

Naki said:


> I think it goes like this -- small companies are smally (not really a word?  or maybe arhaic) incompetent, medium ones are mediumly so, and huge corporations are hugely incompetent -- correct?


What is this, literal Loserbenchmark?


----------



## Hachi_Roku256563 (Mar 15, 2021)

Alexa said:


> What is this, literal Loserbenchmark?


Lols


----------

