Tag Archives: Ukraine

LLC “SOFT TRADE LTD” – 5% Detection Rate – Amonetize

August 31, 2015digital signatureComodo, Ukraine, UserTrustRoger Karlsson

Hello! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called LLC “SOFT TRADE LTD”.

Typically you’d see the LLC “SOFT TRADE LTD” publisher name appear when double-clicking on the FlashPlayer__6741_i1609075630_il45347.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “SOFT TRADE LTD” certificate.

The company is located in Ukraine says the certificate. UserTrust and Comodo is found in the certificate chain:

What caught my attention was that the download was called FlashPlayer__6741_i1609075630_il45347.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

Here’s how the LLC “SOFT TRADE LTD” installer looks like:

ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.HN potentially unwanted are some detection names according to VirusTotal:

Did you also find a LLC “SOFT TRADE LTD” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Vega Resource, LLC – 16% Detection Rate – HEUR:AdWare.Win32.Generic

August 14, 2015digital signatureMultiPlug, Thawte, UkraineRoger Karlsson

Hello readers! Just a short post on a publisher called Vega Resource, LLC. I just found a download named “Download.exe” that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

This is how it looks when double-clicking on the file and Vega Resource, LLC appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Vega Resource, LLC certificate.

By clicking at the Certificate Path tab, we can see that Thawte has issued the certificate:

The scan result from VirusTotal below clearly shows why you should avoid the Vega Resource, LLC file. It is detected under names such as Generic6.BURQ, a variant of Win32/Adware.MultiPlug.NX, Unwanted-Program ( 004ccd421 ), not-a-virus:HEUR:AdWare.Win32.Generic, PE:Packer.Win32.Mian007.a!1074235325 and Trojan.Agent/Gen-Downloader.

Did you also run into a download that was digitally signed by Vega Resource, LLC? What kind of download was it and was it reported by the anti-malwares at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Semen Korzuba – VirusTotal: 33% Detection – MultiPlug, Trj/Genetic.gen

August 11, 2015digital signatureCertum, UkraineRoger Karlsson

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Semen Korzuba.

Windows will display Semen Korzuba as the publisher when running the file. The certificate is issued by Certum Code Signing CA.

The VirusTotal report shows that the Semen Korzuba file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as TR/Dropper.Gen by Avira, a variant of Win32/Adware.MultiPlug.NU by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes, Trj/Genetic.gen by Panda and MultiPlug (v) by VIPRE.

Did you also find a file digitally signed by Semen Korzuba? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Simon Leshchuk – 39% Detection – MPlug / MultiPlug says VirusTotal

August 2, 2015UncategorizedCertum, UkraineRoger Karlsson

Hello readers! Just a short note on a publisher called Simon Leshchuk.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Simon Leshchuk certificate. Simon is located in Ukraine.

The Certum CA has issued the certificate to mr Leshchuk as you can see in the certification path below:

The reason for posting about Simon Leshchuk is that the file is detected by many of the anti-virus programs. Arcabit detects Download.exe as Trojan.Adware.MPlug.65, Avira detects it as TR/Crypt.XPACK.Gen, F-Secure calls it Gen:Variant.Adware.MPlug, K7AntiVirus calls it Unwanted-Program ( 004c5f5e1 ) and Malwarebytes detects it as PUP.Optional.Multiplug.

Did you also find a Simon Leshchuk file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Normands, LLC – Detected as Terkcop and MultiPlug

July 27, 2015digital signatureUkraineRoger Karlsson

Hello readers! I was playing around and testing some downloads when I found a file signed by Normands, LLC.

This is how Normands, LLC appears when running the file:

The certificate is issued by GlobalSign CodeSigning CA – SHA256 – G2. Normands seems to be located in Ukraine.

21 of the scanners detected the file. The Download Uc Browser V Handler Zip.exe file is detected as Win32:FakeDownload-G [PUP] by Avast, Gen:Variant.Adware.Terkcop.32 by BitDefender, HW32.Packed.D625 by Bkav, a variant of Win32/Adware.MultiPlug.NI by ESET-NOD32, W32/S-a467db7e!Eldorado by F-Prot, Gen:Variant.Adware.Terkcop by F-Secure and Trojan.Win32.WebPick.dujvsa by NANO-Antivirus.

Did you also find an Normands, LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Vladislav Mastenko – 38% Detection – Terkcop / MultiPlug

July 27, 2015digital signatureKiev, UkraineRoger Karlsson

Welcome! Just a short note on a publisher called Vladislav Mastenko.

If you have a Vladislav Mastenko file on your computer you may have noticed that Vladislav Mastenko pops up as the publisher in the User Account Control dialog when running the file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Vladislav Mastenko seems to be located in Ukraine and that the certificate is issued by DigiCert Assured ID Code Signing CA-1.

I decided to upload the Vladislav Mastenko file to VirusTotal. Currently, the detection rate is 21/56. Gen:Variant.Adware.Terkcop.32, Win32:FakeDownload-G [PUP], Gen:Variant.Adware.Terkcop.32 and a variant of Win32/Adware.MultiPlug.NI are some of the detection names.

Did you also find a file digitally signed by Vladislav Mastenko? What kind of download was it and where did you find it?

Thanks for reading.

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

July 26, 2015digital signatureAmonetize, bitcoin miner, Comodo, fake flash software, Strictor, Ukraine, UserTrustRoger Karlsson

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

Dmitry Banak – 30% Detection Ratio – Kryptik / MultiPlug / WebPick

July 12, 2015digital signatureUkraineRoger Karlsson

Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe, digitally signed by Dmitry Banak.

Of the 56 scanners, 17 detected the file. The How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe file is detected as Win32:MultiPlug-ABB [PUP] by Avast, a variant of Win32/Kryptik.DPGT by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes and Trojan.Win32.WebPick.dtsbvc by NANO-Antivirus.

Did you also find a Dmitry Banak download? What kind of download was it?

Thank you for reading.

Artur Flomenko – 11% Detection Rate

July 9, 2015digital signatureMultiPlug, UkraineRoger Karlsson

Welcome! Just wanted to give you the heads up on files digitally signed by Artur Flomenko.

If you have a Artur Flomenko file on your machine you may have noticed that Artur Flomenko is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by Certum Code Signing CA. Mr Flomenko is located in Ukraine.

So, what does the anti-virus programs say about the Artur Flomenko file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Artur Flomenko file, with names such as Win32:FakeDownload-G [PUP], a variant of Win32/Kryptik.DPGT, Trojan.Downloader, Trj/Genetic.gen and PE:AdWare.Win32.MultiPlug.aq!1075358402.

Did you also find an Artur Flomenko? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Egor Klochko – 34% Detection Rate – MultiPlug / Graftor

June 27, 2015digital signatureGraftor, MultiPlug, UkraineRoger Karlsson

Welcome! Just a note on a publisher called Egor Klochko. The Egor Klochko download – Download Uc Browser V Handler Zip.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Egor Klochko? Was it also detected when you uploaded it to VirusTotal?

Typically you’d see the Egor Klochko publisher name appear when double-clicking on the Download Uc Browser V Handler Zip.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Egor Klochko certificate.

The VirusTotal report shows that the Egor Klochko file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as Trojan.Adware.Graftor.D31885 by Arcabit, Gen:Variant.Adware.Graftor.202885 by BitDefender and PUP.Optional.Multiplug by Malwarebytes.

Did you also find a Egor Klochko file? Do you remember where you downloaded it?

Thank you for reading.