DxO.PhotoLab.Activation.Interop.dll contain Bitcoin address?

Silent · June 3, 2024, 5:44pm

Hi All

Doing some Forensic Analysis and can see that the file DxO.PhotoLab.Activation.Interop.dll contains a bitcoin address.

Have run the file through the site https://www.filescan.io as well as https://www.hybrid-analysis.com

Common to both analyses is that they point to a bitcoin wallet. Besides this, it looks like DxO has changed providers for license activation. Previously it was hosted at https://hostedactivation.com, but I see they have switched to https://licensespring.com.

I hope they provide the option for us to activate and deactivate our license within the program, like in DaVinci Resolve, maybe in version 8.

As mentioned, I’m just quite puzzled.
The test can be seen here Filescan.IO - Next-Gen Malware Analysis Platform

nevermore · June 3, 2024, 9:15pm

I would never imagine that DXO may include BTC wallet in their code, so i’m quite surprised here and don’t know what to think about it.

Anyway, great fiding and thanks for sharing it! I find it quite intriguing.

Required · June 4, 2024, 1:11am

I don’t have access to my threat hunting suites I once did in my previous employment but my guess is that this is a collision more than a threat signature.

Silent · June 4, 2024, 7:22am

I don’t think they have either, could also be a false positive.

Wlodek · June 4, 2024, 11:35am

The string ‘3euvAgMBAAGjQjBAMA8GA1UdEwEB’, which looks like a bitcoin address, is just a part of one of embedded in dll Amazon’s certificates. Nothing to worry.