Tag Archives: CryptInno

OOO “Finans Servis” – 9% Detection Rate: InstallCore/CryptInno

Just wanted to give you the heads up on files digitally signed by OOO “Finans Servis”.

OOO Finans Servis publisher

The OOO “Finans Servis” certificate shows that the publisher is located in Moscow in Russia.

OOO Finans certificate

The problem here is that the OOO Finans Servis was promoted as an update for Adobe’s Flash Player. If adobe_flash_setup.exe really was a setup file for Adobe Flash Player, it should be digitally signed by Adobe Systems Incorporated and not by some unknown company located in Moscow.

9% of the anti-malware scanners detected the file. PUP.Optional.InstallCore and BehavesLike.Win32.CryptInno.bc were two of the detection names. I think we will see the other anti-virus programs add this one to the detection list soon.

OOO Finans Servis virustotal

Since you probably came here after finding a file that was digitally signed by OOO Finans Servis, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thanks for reading.

STMSetup – 18% Detection Rate by VirusTotal

Hello readers! Just found yet another interesting file, this time signed by STMSetup. The following screenshot shows the User Account Control dialog when running the STMSetup file:

STMSetup for Skype_Setup.exe

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that STMSetup appears to be located in Tel-Aviv in Israel and that the certificate is issued by COMODO Code Signing CA 2.

STMSetup certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the official Skype signature looks like:

Skype Software Sarl

So, what does VirusTotal say about Skype_Setup.exe? BehavesLike.Win32.CryptInno.bc, Install Core Click run software and InstallCore (fs) are some detection names:

STMSetup virustotal report

Did you also find a STMSetup file?

Thanks for reading.

ICS Setup – 16% Detection Rate By VirusTotal

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how  appears when running the file:

ICS Setup

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

ICS Setup certificate

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

ICS Setup virustotal

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.