File name: | LicenseCrawler - CHIP-Installer.exe |
Full analysis: | https://app.any.run/tasks/5075d418-7b84-468b-93e6-8253b8cd971c |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 22, 2019, 07:30:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | AF72306A68434E0C43848600B87D1B27 |
SHA1: | 46A65A84B39998B5B4333F21C545CD9D9C5C93C6 |
SHA256: | E81FBE35DEF1876898336A07B080F99B296C9FB76A99418D6005A3748046F10E |
SSDEEP: | 24576:Xq5TfcdHj4fmbo2qfjzPhHyOjgu2Fzny1gdjgsA5k:XUTsamExbjg9jgQ |
.exe | | | Win64 Executable (generic) (30.7) |
---|---|---|
.exe | | | UPX compressed Win32 Executable (30.1) |
.exe | | | Win32 EXE Yoda's Crypter (29.5) |
.exe | | | Win32 Executable (generic) (5) |
.exe | | | Generic Win/DOS Executable (2.2) |
OriginalFileName: | CHIP Secured Installer |
---|---|
ProductName: | CHIP Secured Installer |
InternalName: | CHIP Secured Installer |
CompanyName: | CHIP Digital GmbH |
LegalCopyright: | Copyright © 2019 Chip Digital GmbH |
ProductVersion: | 2.9.10.0 |
FileDescription: | CHIP Secured Installer |
Comments: | CHIP Secured Installer |
FileVersion: | 2.9.10.0 |
CharacterSet: | Unicode |
LanguageCode: | German |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.9.10.0 |
FileVersionNumber: | 2.9.10.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1c68d0 |
UninitializedDataSize: | 1515520 |
InitializedDataSize: | 987136 |
CodeSize: | 344064 |
LinkerVersion: | 11 |
PEType: | PE32 |
TimeStamp: | 2019:03:13 10:43:21+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Mar-2019 09:43:21 |
Detected languages: |
|
FileVersion: | 2.9.10.0 |
Comments: | CHIP Secured Installer |
FileDescription: | CHIP Secured Installer |
ProductVersion: | 2.9.10.0 |
LegalCopyright: | Copyright © 2019 Chip Digital GmbH |
CompanyName: | CHIP Digital GmbH |
InternalName: | CHIP Secured Installer |
ProductName: | CHIP Secured Installer |
OriginalFilename: | CHIP Secured Installer |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 13-Mar-2019 09:43:21 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00172000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00173000 | 0x00054000 | 0x00053C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.93604 |
.rsrc | 0x001C7000 | 0x000F1000 | 0x000F0E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.39466 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.32366 | 1444 | Latin 1 / Western European | German - Germany | RT_MANIFEST |
4 | 3.75291 | 9640 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
7 | 3.34702 | 1428 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
8 | 3.2817 | 1674 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
9 | 3.28849 | 1168 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
10 | 3.28373 | 1532 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
11 | 3.26322 | 1628 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
12 | 3.25812 | 1126 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
99 | 2.0815 | 20 | Latin 1 / Western European | English - United Kingdom | RT_GROUP_ICON |
166 | 2.68292 | 80 | Latin 1 / Western European | English - United Kingdom | RT_MENU |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.DLL |
MPR.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3672 | "C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe" | C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe | — | explorer.exe |
User: admin Company: CHIP Digital GmbH Integrity Level: MEDIUM Description: CHIP Secured Installer Exit code: 3221226540 Version: 2.9.10.0 | ||||
2456 | "C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe" | C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe | explorer.exe | |
User: admin Company: CHIP Digital GmbH Integrity Level: HIGH Description: CHIP Secured Installer Exit code: 0 Version: 2.9.10.0 | ||||
3848 | "C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54439828 -chipderedesign -fc6b6e4b84fe4aae9082c6161ec4930d - -BLUB2 -bhyrryigpengvmjc -2456 | C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe | LicenseCrawler - CHIP-Installer.exe | |
User: admin Company: Chip Digital GmbH Integrity Level: HIGH Description: CHIP Secured Installer Version: 2.9.10.0 | ||||
3984 | "C:\Windows\explorer.exe" /e,/select,C:\Users\admin\Downloads\licensecrawler_2.1.2301.zip | C:\Windows\explorer.exe | — | dmr_72.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2784 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | "C:\Users\admin\AppData\Local\Temp\DMR\Downloads\152e221a8bef8d2d13c58f995563a1a1\c36806329dd1ca55ff7a96fec0779424\avast_free_antivirus_setup_online.exe" /SILENT | C:\Users\admin\AppData\Local\Temp\DMR\Downloads\152e221a8bef8d2d13c58f995563a1a1\c36806329dd1ca55ff7a96fec0779424\avast_free_antivirus_setup_online.exe | dmr_72.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Version: 2.1.1279.0 | ||||
3112 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\licensecrawler_2.1.2301.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3556 | "C:\Windows\Temp\asw.8d77844b5617f669\avast_free_antivirus_setup_online.exe" /SILENT /cookie:mmm_cip_ppi_002_599_m /ga_clientid:94209c7b-0ef6-4fd6-831e-5085f8303a05 /edat_dir:C:\Windows\Temp\asw.8d77844b5617f669 | C:\Windows\Temp\asw.8d77844b5617f669\avast_free_antivirus_setup_online.exe | avast_free_antivirus_setup_online.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Version: 19.3.4241.0 | ||||
3892 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\licensecrawler_2.1.2301.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3996 | "C:\Windows\Temp\asw.83c72f9aa07f3dad\instup.exe" /edition:1 /ga_clientid:94209c7b-0ef6-4fd6-831e-5085f8303a05 /guid:e119c0ee-43d6-4bad-a0fd-ad609c86941f /prod:ais /sfx:lite /sfxstorage:C:\Windows\Temp\asw.83c72f9aa07f3dad /SILENT /cookie:mmm_cip_ppi_002_599_m /ga_clientid:94209c7b-0ef6-4fd6-831e-5085f8303a05 /edat_dir:C:\Windows\Temp\asw.8d77844b5617f669 | C:\Windows\Temp\asw.83c72f9aa07f3dad\instup.exe | avast_free_antivirus_setup_online.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Version: 19.3.4241.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3556 | avast_free_antivirus_setup_online.exe | Setup.log | — | |
MD5:— | SHA256:— | |||
3556 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.83c72f9aa07f3dad\servers.def | text | |
MD5:C66EFF1E07EDD34AE3465B8FB23020F1 | SHA256:8EB05C4D9B307CF69ED5F13DAC4B18C912EA11B2230E62D9891EF1C138380A42 | |||
3368 | avast_free_antivirus_setup_online.exe | C:\windows\temp\asw.8d77844b5617f669\ecoo.edat | text | |
MD5:3C38147AA44779EE9B4287EA8D7F998C | SHA256:B380D5392B9024877088B795EC5E7194F23AC55BE450EDC3F5920CF3A75A3AE2 | |||
3848 | dmr_72.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\MarselisSlabWeb[1].eot | eot | |
MD5:99DB29822EBD7B203C4D42F511A09126 | SHA256:8BB3DD596D97E5130178968732A0E2490668B5850E94F6B64D1E0262D5C8E5C8 | |||
3848 | dmr_72.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\jquery[1].js | text | |
MD5:21AAD200D2965AB5E8003EB72A60CDBA | SHA256:DFCBB6BDD9CA50BA56F33B36F585456707F90EEF14BE072D46908F3A6D56F82B | |||
2456 | LicenseCrawler - CHIP-Installer.exe | C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe | executable | |
MD5:E1C531D8EE0435A4829C850C64C6E066 | SHA256:DE261633341935832DFDA0B6FF43C6DFA34CA40F98BBEBCA84CF3F9A513326B1 | |||
3556 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.83c72f9aa07f3dad\config.def | text | |
MD5:553B471777D328A6EF79790FD516BB47 | SHA256:38B63D92FC4300B5A9D4CE9CBB77194CD3E8AA7FAAACB09DD33F851EE7622026 | |||
3848 | dmr_72.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\main[1].js | text | |
MD5:8AB97ADDE4779CB7ABA2AD7693F8804F | SHA256:84C455C2B26F53B7E4750DFE0C782C93BFD0B3F3F0F2C0695749E402602AA79E | |||
3848 | dmr_72.exe | C:\Users\admin\AppData\Local\Temp\DMR\Downloads\152e221a8bef8d2d13c58f995563a1a1\3533bda4c65ccfbbc76d3b22854fd16c\1-klick-chip-setup.exe | executable | |
MD5:35894C5B6B6FC3FD8C34FAB6998CEA4A | SHA256:C38861941FDFB0798EDAA6EEB9DAF880321CE287CA236654E3FF0F73C8CAA330 | |||
3848 | dmr_72.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\main[1].css | text | |
MD5:D7D0460325E0498216BD55AF8298E758 | SHA256:92C02CD6A818E9A33E8D5D24191ED942DBF4EF8AF86B3F2BEC5F98B8556F72DE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3848 | dmr_72.exe | GET | — | 5.9.198.83:80 | http://api.chip-secured-download.de/downloaderContent/jquery.js | DE | — | — | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/downloaderContent/main.css?v=1461939270 | DE | text | 1.65 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/track/uac.php?clientid=661b878e-975f-4599-8734-b17dc440936e&cid=54439828&pid=chipderedesign&source=BLUB2&setupid=fc6b6e4b84fe4aae9082c6161ec4930d&langcountry=en-US&state=WithoutUAC | DE | binary | 121 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/downloaderContent/MarselisSlabWeb.eot?&1440165143 | DE | eot | 61.7 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/downloaderContent/jquery.js | DE | text | 32.2 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/downloaderContent/progress.php?pid=chipderedesign&cid=54439828&sid=fc6b6e4b84fe4aae9082c6161ec4930d&appname=4C6963656E7365437261776C6572&uid=661b878e-975f-4599-8734-b17dc440936e&scid=&source=BLUB2&language=en-eu&piddata=&uaexe=66697265666F782E657865&Camplist=64386635313338383638323336356261393562616434326463323933303838663B61316363303330363632343534346235306161666131633930383766343364643B31313131636230656231386533626238623736356362663664623237656132333B3737396434326630663031356265393839666436663565623065343765343733 | DE | htm | 2.18 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/newbrandmachine/chipderedesign?cid=54439828&scid=&headline1=4C6963656E7365437261776C6572&headline2=434849502D444F574E4C4F4144&euid=366639636331626331306538356565633137636264653832&icon=68747470733A2F2F7777772E636869702E64652F69692F352F382F392F352F392F322F322F663964306162626339613035663033332E6A7067&screenshot=68747470733A2F2F7777772E636869702E64652F69692F352F382F392F352F392F322F322F623431383265623035366135343330372E6A7067&MetaRating=35&lang=en | DE | binary | 121 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.84:80 | http://static.chip-secured-download.de/gfx/pagead/AVAST/avast-buttons-v1-feb18.gif | DE | image | 36.6 Kb | suspicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/downloaderContent/main.js?v=12 | DE | text | 2.74 Kb | malicious |
3848 | dmr_72.exe | GET | 200 | 5.9.198.83:80 | http://api.chip-secured-download.de/geoip/geoip.php?ip=36322e3231342e36372e313836&givezip=true | DE | text | 14 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3556 | avast_free_antivirus_setup_online.exe | 172.217.16.142:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
3848 | dmr_72.exe | 2.16.186.59:80 | dl.cdn.chip.de | Akamai International B.V. | — | whitelisted |
3848 | dmr_72.exe | 5.9.198.83:80 | api.chip-secured-download.de | Hetzner Online GmbH | DE | malicious |
3848 | dmr_72.exe | 5.9.198.84:80 | static.chip-secured-download.de | Hetzner Online GmbH | DE | suspicious |
3848 | dmr_72.exe | 176.9.97.244:80 | api.chip-secured-download.de | Hetzner Online GmbH | DE | malicious |
3996 | instup.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
3848 | dmr_72.exe | 2.18.69.143:443 | bits.avcdn.net | Akamai International B.V. | — | whitelisted |
3368 | avast_free_antivirus_setup_online.exe | 77.234.45.54:80 | v7event.stats.avast.com | AVAST Software s.r.o. | DE | unknown |
3996 | instup.exe | 5.62.53.220:443 | shepherd.ff.avast.com | — | US | unknown |
3556 | avast_free_antivirus_setup_online.exe | 77.234.45.54:80 | v7event.stats.avast.com | AVAST Software s.r.o. | DE | unknown |
Domain | IP | Reputation |
---|---|---|
api.chip-secured-download.de |
| unknown |
ocs1.chdi-server.de |
| unknown |
static.chip-secured-download.de |
| suspicious |
downloaderapi.chip.de |
| whitelisted |
bits.avcdn.net |
| whitelisted |
service.chip-secured-download.de |
| malicious |
dl.cdn.chip.de |
| whitelisted |
www.google-analytics.com |
| whitelisted |
v7event.stats.avast.com |
| whitelisted |
iavs9x.u.avast.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3848 | dmr_72.exe | A Network Trojan was detected | MALWARE [PTsecurity] DownloadSponsor inbound artifact m1 |
3848 | dmr_72.exe | A Network Trojan was detected | MALWARE [PTsecurity] DownloadSponsor inbound artifact m1 |
3848 | dmr_72.exe | A Network Trojan was detected | MALWARE [PTsecurity] DownloadSponsor img_welcome PNG artifact |
3848 | dmr_72.exe | A Network Trojan was detected | MALWARE [PTsecurity] DownloadSponsor inbound artifact m1 |
3848 | dmr_72.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3848 | dmr_72.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3848 | dmr_72.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3848 | dmr_72.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3368 | avast_free_antivirus_setup_online.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |