Tag Archives: Israel

SetupFlash (New Media Holdings Ltd.) – 18% Detection Rate

Uncategorized,

Hello readers! Just wanted to let you know about a publisher called SetupFlash (New Media Holdings Ltd.) before going back to writing some code for FreeFixer.

SetupFlash New Media Holdings Ltd publisher

This is how it looks when double-clicking on the file and SetupFlash (New Media Holdings Ltd.) appears as the publisher. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that SetupFlash (New Media Holdings Ltd.) seems to be located in Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

SetupFlash (New Media Holdings Ltd.) cert

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

If you are considering to run the SetupFlash (New Media Holdings Ltd.) signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

SetupFlash New Media Holdings Ltd. report

Ikarus classifies chrome-download.exe as PUA.InstallCore, VIPRE detects it as InstallCore (fs), Malwarebytes detects it as PUP.Optional.InstallCore and Sophos reports Install Core Click run software (PUA).

Did you also find a SetupFlash (New Media Holdings Ltd.) file?

Thank you for reading.

PremiumBeam (New Media Holdings Ltd.) – 15% Detection Rate – InstallCore

digital signature, ,

Hi there! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system signed by PremiumBeam (New Media Holdings Ltd.)? Then read on..

PremiumBeam (New Media Holdings Ltd.)

 

If you have a PremiumBeam (New Media Holdings Ltd.) file on your computer you may have noticed that PremiumBeam (New Media Holdings Ltd.) pops up as the publisher in the User Account Control dialog when running the file. The PremiumBeam (New Media Holdings Ltd.) certificate shows that the publisher is located in Tel Aviv, Israel.

These are the current VirusTotal detections for the file. PUP.Optional.InstallCore, HEUR/QVM06.1.Malware.Gen, Install Core Click run software (PUA), SScope.Malware-Cryptor.InstallCore and InstallCore (fs) as a few of the detection names for the vlc-media-player.exe file.

PremiumBeam New Media Holdings Ltd. anti-virus report

Did you also find a file signed by PremiumBeam (New Media Holdings Ltd.)? What kind of download was it and where did you find it?

Thanks for reading.

Safemode Install (Fried Cookie Ltd) – 18% Detection Rate – InstallCore

digital signature, , ,

Hi there! Just a short post on a publisher called Safemode Install (Fried Cookie Ltd). I just found a download named chrome-download.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

Safemode Install Fried Cookie Ltd certificate

By looking at the certificate we can see that Safemode Install (Fried Cookie Ltd) appears to be located in Israel. GlobalSign has issued the certificate.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it would be digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

So, why did I put up this blog post? Well, the thing is that the Safemode Install (Fried Cookie Ltd) file is detected by many of the scanners, according to VirusTotal. ESET-NOD32 detects it as a variant of Win32/InstallCore.ADE potentially unwanted, Malwarebytes detects it as PUP.Optional.InstallCore, AVG names chrome-download.exe as InstallCore.F22 and Sophos detects it as Install Core Click run software (PUA).

Safemode Install (Fried Cookie Ltd) anti-virus report

Did you also find a file digitally signed by Safemode Install (Fried Cookie Ltd)? What kind of download was it and where did you find it?

Thanks for reading.

MaxAgile (New Media Holdings Ltd.) – 9% Detection Rate – InstallCore

digital signature, , ,

Hi there! Just a short post on a publisher called MaxAgile (New Media Holdings Ltd.) before going back to some coding on FreeFixer.

MaxAgile New Media Holdings Ltd certificate

You can also check who signed a file by checking the digital signature tab. According to the embedded certificate we can see that MaxAgile (New Media Holdings Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

MaxAgile GlobalSign

The issue is that chrome-download.exe is not an official Google Chrome download. If it was, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

The scan result from VirusTotal below clearly shows why you should avoid the MaxAgile (New Media Holdings Ltd.) file. It is detected under names such as Trojan.InstallCore.1364, PUP.Optional.InstallCore and InstallCore (fs).

MaxAgile anti-virus report

Did you also find a MaxAgile (New Media Holdings Ltd.) file?

Thanks for reading.

CrossBeam (New Media Holdings Ltd.) – 9% Detection Rate at VirusTotal

digital signature, ,

Hello! Was looking for some downloads to play around with and found one, digitally signed by CrossBeam (New Media Holdings Ltd.). The file is named chrome-download.exe.

CrossBeam (New Media Holdings Ltd.) warning

Typically you’d see the CrossBeam (New Media Holdings Ltd.) publisher name appear when double-clicking on the chrome-download.exe file: By examining the certificate, we can see that CrossBeam (New Media Holdings Ltd.) appears to be located in Tel Avivl, Israel.

CrossBeam (New Media Holdings Ltd.) cert

The certificate is issued by GlobalSign CodeSigning CA – G2.CrossBeam GlobalSign

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it should be signed by Google Inc. and not by some unknown company. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

9% of the anti-virus scanners detected the file. Some of the detection names for the chrome-download.exe file are a variant of Win32/InstallCore.ACQ.gen potentially unwanted, PUP.Optional.InstallCore and InstallCore (fs).

CrossBeam anti-virus report

When I tested the CrossBeam file it bundled StormFall and Norton 360. The checkbox for these two programs were not checked by default.

Did you also find a CrossBeam (New Media Holdings Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

SM Install (Fried Cookie Ltd.) – 12% Detection Rate

digital signature,

Welcome! Just a short post on a publisher called SM Install (Fried Cookie Ltd.) before going back to some coding on FreeFixer.

SM Install Fried Cookie Ltd. cert

You can view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SM Install (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

SM Install (Fried Cookie Ltd.) cert chain globalsign

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

When I uploaded the SM Install (Fried Cookie Ltd.) file to VirusTotal, it came up with a 12% detection rate. The file is detected as Generic.BEC by AVG, Install Core Click run software (PUA) by Sophos and InstallCore (fs) by VIPRE.

SM Install Fried Cookie Ltd. anti-virus report

Did you also find a SM Install (Fried Cookie Ltd.) file?

Thank you for reading.

Top Scale (New Media Holdings Ltd.) – 14% Detection Rate – InstallCore

digital signature, ,

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Top Scale (New Media Holdings Ltd.).

Top Scale New Media Holdings Ltd publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Top Scale (New Media Holdings Ltd.) certificate.

Top Scale New Media Holdings Ltd. cert

Top Scale is located in Tel Aviv, Israel, according to the certificate.

What caught my attention was that the download was called GoogleChromeSetup.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should have been signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

So, what does the anti-virus programs say about the Top Scale (New Media Holdings Ltd.) file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Top Scale (New Media Holdings Ltd.) file, with names such as InstallCore.A98, W32.HfsAdware.D59D, PUP.Optional.InstallCore.A and InstallCore (fs).

Top Scale New Media Holdings anti-virus report

Did you also find an Top Scale (New Media Holdings Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

PlatformMax (Fried Cookie Ltd) – 9% Detection Rate – InstallCore

Uncategorized, ,

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player_setup.exe and digitally signed by PlatformMax (Fried Cookie Ltd).

PlatformMax Fried Cookie publisher

If you have a PlatformMax (Fried Cookie Ltd) file on your machine you may have noticed that PlatformMax (Fried Cookie Ltd) is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by GlobalSign CodeSigning CA – G2.

PlatformMax (Fried Cookie Ltd) cert

If you are considering to run the PlatformMax (Fried Cookie Ltd) signed file, please check out detection list by some of the anti-virus programs:

PlatformMax anti-virus report

AVG detects vlc-media-player_setup.exe as Generic.7D6, Comodo classifies it as Application.Win32.InstallCore.DXC, DrWeb detects it as Trojan.InstallCore.890 and Malwarebytes reports PUP.Optional.InstallCore.SID.C.

Did you also find an PlatformMax (Fried Cookie Ltd)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Setup Super (Fried Cookie Ltd.) – 16% Detection Rate – InstallCore

digital signature, ,

Hello! I was playing around and testing some downloads when I found a file digitally signed by Setup Super (Fried Cookie Ltd.).

This is how Setup Super (Fried Cookie Ltd.) appears when running the file:

Setup Super Fried Cookie Ltd publisher

By examining the certificate, we can see that Setup Super (Fried Cookie Ltd.) is located in Tel Aviv, Israel. The certificate is issued by GlobalSign CodeSigning CA – G2.

Setup Super Fried Cookie certificate

The reason I’m writing this blog post is that the Setup Super (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners at VirusTotal. Comodo detects installer_jdownloader_English.exe as Application.Win32.InstallCore.UD, Malwarebytes reports PUP.Optional.InstallCore.SID.C and VIPRE detects it as InstallCore (fs).

Setup Super anti-virus report

Did you also find a file digitally signed by Setup Super (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Rubin Sister – 16% Detection Rate – MultiPlug / Qudamah / Badur

digital signature, , ,

Hello! I was playing around and testing some downloads when I found a file digitally signed by Rubin Sister.

Rubin Sister publisher

If you have a Rubin Sister file on your computer you may have noticed that Rubin Sister pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by Certum Code Signing CA.

Rubin Sister certificate

A variant of Win32/Adware.MultiPlug.JZ, Riskware/Badur, Trojan.Win32.Qudamah.Gen.7 and suspected of Heur.Malware-Cryptor.Multiplug are some detection names according to VirusTotal:

Rubin Sister anti-virus report

Did you also find an Rubin Sister? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.