s3manager.exe read CPUID

Question

s3manager.exe read CPUID

SaltyYuki opened this issue a year ago · comments

Hello

I have try your s3manger (the exe one is release)
hybrid analyse say that you read CPUID wich is suspicious also when the exe is started he try to join
23.216.147.76
https://www.hybrid-analysis.com/sample/bd48d18a283dc75ef9ca8d503a77b2adf3300a39f5a30e3623355d2522d2f4b6/63f7ca9a47c0efe0450666fe

Can you say why ?

Thanks

Lena Fuhrimann · Answer 1 · Fri Feb 24 2023 21:53:22 GMT+0800 (China Standard Time)

@SaltyYuki, I'm guessing that's because s3manager depends on the following packages:

https://github.com/cloudlena/s3manager
└── https://github.com/minio/minio-go
    └── https://github.com/klauspost/compress
        └── https://github.com/klauspost/cpuid

All of those libraries are open source, so you can verify them and build from source if there are trust issues. Does that resolve the issue for you?

SaltyYuki · Answer 2 · Fri Feb 24 2023 22:02:58 GMT+0800 (China Standard Time)

Thanks for your reply !

One more question : Why is he trying to contact 23.216.147.76 without any info ? (no env var setup) just by running the exe

it's also done because of some external package use ?

Lena Fuhrimann · Answer 3 · Mon Feb 27 2023 17:44:09 GMT+0800 (China Standard Time)

@SaltyYuki, I cannot reproduce that call being made. Currently, I'm using strace to check:

$ strace -f -e network -s 10000 ./bin/s3manager

However, I cannot see any calls to that IP address. Can you tell me how to reproduce that, and what tools you are using?

SaltyYuki · Answer 4 · Mon Feb 27 2023 19:05:52 GMT+0800 (China Standard Time)

I use the exe one

It's was virus total that say that:
https://www.virustotal.com/gui/file/bd48d18a283dc75ef9ca8d503a77b2adf3300a39f5a30e3623355d2522d2f4b6/relations