dmr_72.exe

CHIP Secured Installer

CHIP Digital GmbH

The application dmr_72.exe by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Covus installer. While running, it connects to the Internet address ocs3.chdi-server.de on port 443.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
CHIP Secured Installer

Version:
2.0.6.0

MD5:
3c6bc1b7a85f5fda2926b0b3b3548e30

SHA-1:
928a536fbff196495b90e4bd51b932485b84a099

SHA-256:
5a681e3de52b6d99d3ed2d106df0d9d70f51c38abc380d7fadd9b89756487375

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/5/2024 6:38:02 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ChipDigital.Bundler.Covus.Installer.Meta (M)
16.6.27.11

File size:
508 KB (520,200 bytes)

Product version:
2.0.6.0

Copyright:
Copyright © 2016 Chip Digital GmbH

Trademarks:
CHIP Secured Installer

Original file name:
DMR.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Covus

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\dmr_72.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
1/27/2016 1:00:00 AM

Valid to:
1/27/2017 12:59:59 AM

Subject:
CN=CHIP Digital GmbH, OU=Download Development, O=CHIP Digital GmbH, STREET=St.-Martin-Strasse 66, L=Munich, S=Bavaria, PostalCode=81541, C=DE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B0564F3FBF54F6269517864BB24329FC

File PE Metadata
Compilation timestamp:
6/24/2016 11:16:23 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:bEkRiFun706FtW0zOFJ2+l9AlstfWEVbp:bXiFurFtW0zQJ9TtFbp

Entry address:
0x7C38E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
489 KB (500,736 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www2.chdi-server.de  (5.9.198.83:80)

TCP (HTTP):
Connects to www1.chdi-server.de  (176.9.97.244:80)

TCP (HTTP):
Connects to ocs3.chdi-server.de  (5.9.176.3:8080)

TCP (HTTP):
Connects to ocs1.chdi-server.de  (5.9.175.19:80)

TCP (HTTP SSL):
Connects to ec2-54-174-193-79.compute-1.amazonaws.com  (54.174.193.79:443)

TCP (HTTP):
Connects to static.84.198.9.5.clients.your-server.de  (5.9.198.84:80)

TCP (HTTP):
Connects to www1.thinklabs-cluster.de  (148.251.198.118:80)

TCP (HTTP):
Connects to www2.thinklabs-cluster.de  (148.251.198.119:80)

TCP (HTTP):
Connects to static.245.97.9.176.clients.your-server.de  (176.9.97.245:80)

TCP (HTTP SSL):
Connects to ocs2.chdi-server.de  (5.9.116.27:443)

TCP (HTTP):
Connects to a95-101-82-32.deploy.akamaitechnologies.com  (95.101.82.32:80)

TCP (HTTP):
Connects to a88-221-116-65.deploy.akamaitechnologies.com  (88.221.116.65:80)

TCP (HTTP):
Connects to a95-101-82-9.deploy.akamaitechnologies.com  (95.101.82.9:80)

TCP (HTTP):
Connects to a88-221-116-90.deploy.akamaitechnologies.com  (88.221.116.90:80)

TCP (HTTP):
Connects to a104-121-150-225.deploy.static.akamaitechnologies.com  (104.121.150.225:80)

TCP (HTTP):
Connects to a104-121-150-203.deploy.static.akamaitechnologies.com  (104.121.150.203:80)

TCP (HTTP):
Connects to a95-101-89-251.deploy.akamaitechnologies.com  (95.101.89.251:80)

TCP (HTTP):
Connects to a95-101-82-24.deploy.akamaitechnologies.com  (95.101.82.24:80)

TCP (HTTP):
Connects to a88-221-116-120.deploy.akamaitechnologies.com  (88.221.116.120:80)

TCP (HTTP):
Connects to a84-53-136-25.deploy.akamaitechnologies.com  (84.53.136.25:80)

Remove dmr_72.exe - Powered by Reason Core Security