dmr_72.exe

CHIP Secured Installer

CHIP Digital GmbH

The application dmr_72.exe by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Covus installer. While running, it connects to the Internet address ocs2.chdi-server.de on port 80 using the HTTP protocol.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
CHIP Secured Installer

Version:
2.1.4.4

MD5:
9fac6eacbe56112c311bf09529de0406

SHA-1:
1341dbda76b17bc5762a0699e5930a74cbcde303

SHA-256:
19b04b9c1d7d7affa39d767a995660e9a239b480f286a3f57925adce430050cd

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/23/2024 2:27:15 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ChipDigital.Bundler (M)
17.2.7.14

File size:
518 KB (530,440 bytes)

Product version:
2.1.4.4

Copyright:
Copyright © 2017 Chip Digital GmbH

Trademarks:
CHIP Secured Installer

Original file name:
DMR.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Covus

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\dmr_72.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
2/6/2017 4:00:00 PM

Valid to:
2/7/2018 3:59:59 PM

Subject:
CN=CHIP Digital GmbH, OU=Download Development, O=CHIP Digital GmbH, STREET=St.-Martin-Strasse 66, L=Munich, S=Bayern, PostalCode=81541, C=DE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DFE066D5ACFFAD39C60AEA807A45FA40

File PE Metadata
Compilation timestamp:
2/7/2017 5:55:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x7E7AE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, EA, D1, 99, 58, 00, 00, 00, 00, 02, 00, 00, 00, 1C, 01, 00, 00, 1C, 00, 08, 00, 1C, CC, 07, 00, 52, 53, 44, 53, 2E, 62, 1F, 42, 9B, 7D, AC, 45, A3, D3, B1, D0, F0, 8E...
 
[+]

Entropy:
6.7182

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
498 KB (509,952 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www2.chdi-server.de  (5.9.198.83:80)

TCP (HTTP):
Connects to www1.chdi-server.de  (176.9.97.244:80)

TCP (HTTP):
Connects to ocs1.chdi-server.de  (5.9.175.19:80)

TCP (HTTP):
Connects to static.245.97.9.176.clients.your-server.de  (176.9.97.245:80)

TCP (HTTP):
Connects to ocs3.chdi-server.de  (5.9.176.3:80)

TCP (HTTP):
Connects to host-213.158.175.51.tedata.net  (213.158.175.51:80)

TCP (HTTP SSL):
Connects to ocs2.chdi-server.de  (5.9.116.27:443)

TCP (HTTP):
Connects to static.84.198.9.5.clients.your-server.de  (5.9.198.84:80)

TCP (HTTP):
Connects to www1.thinklabs-cluster.de  (148.251.198.118:80)

TCP (HTTP):
Connects to host-213.158.175.43.tedata.net  (213.158.175.43:80)

TCP (HTTP):
Connects to www2.thinklabs-cluster.de  (148.251.198.119:80)

TCP (HTTP):
Connects to host-213.158.175.98.tedata.net  (213.158.175.98:80)

TCP (HTTP):
Connects to a84-53-142-202.deploy.akamaitechnologies.com  (84.53.142.202:80)

TCP (HTTP):
Connects to a84-53-142-194.deploy.akamaitechnologies.com  (84.53.142.194:80)

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

TCP (HTTP):
Connects to host-213.158.175.72.tedata.net  (213.158.175.72:80)

TCP (HTTP):
Connects to a95-101-82-26.deploy.akamaitechnologies.com  (95.101.82.26:80)

TCP (HTTP):
Connects to a95-101-82-24.deploy.akamaitechnologies.com  (95.101.82.24:80)

TCP (HTTP):
Connects to a88-221-116-90.deploy.akamaitechnologies.com  (88.221.116.90:80)

TCP (HTTP):
Connects to a88-221-116-120.deploy.akamaitechnologies.com  (88.221.116.120:80)

Remove dmr_72.exe - Powered by Reason Core Security