home

bi.exe

Somoto Ltd.

Somoto uses a monetization platform known as the 'Better Installer' to provide the ability of 3rd party developers to bundle various adware packages through an affiliate pay-per-install program. The application bi.exe by Somoto has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Somoto BetterInstaller installer. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from sub.holabonitina.com.
Publisher:
Somoto Ltd.  (signed and verified)

Version:
1.0.0.1

MD5:
a9bfb5bc21250c87fc568bdd3de1b51b

SHA-1:
538736d570fe3c4d3b64279d0af25f30e3429cde

SHA-256:
87f930bf6afa092bb83a6411f57c3823ca680bac2464908e6b4c5ea0e87661fd

Scanner detections:
17 / 68

Status:
Adware

Explanation:
Uses the Somoto 'BetterInstaller' to bundle additional (unwanted) software during install without adequate consent.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/26/2024 10:44:46 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-PUP/Somoto
2015.02.08

avast!
Win32:Somoto-R [PUP]
2014.9-150916

AVG
Downloader
2016.0.2985

Baidu Antivirus
Adware.Win32.Somoto
4.0.3.15916

Comodo Security
Application.Win32.Somoto.GDP
20995

Dr.Web
Trojan.Packed.28357
9.0.1.0259

ESET NOD32
Win32/Somoto.G potentially unwanted
9.11138

K7 AntiVirus
Unwanted-Program
13.193.14895

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.1419

Malwarebytes
PUP.Optional.Somoto
v2015.09.16.05

McAfee
Artemis!A9BFB5BC2125
5600.6641

Panda Antivirus
PUP/MultiToolbar.A
15.09.16.05

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Somoto.Bundler (M)
15.9.16.5

Sophos
Somoto BetterInstaller
4.98

Trend Micro House Call
Suspicious_GEN.F47V0206
7.2.259

VIPRE Antivirus
Trojan.Win32.Generic
37332

File size:
420.4 KB (430,520 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Somoto BetterInstaller (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\bi.exe

Digital Signature
Signed by:
Somoto Ltd.

Authority:
Thawte, Inc.

Valid from:
7/2/2014 3:00:00 AM

Valid to:
7/3/2015 2:59:59 AM

Subject:
CN=Somoto Ltd., O=Somoto Ltd., L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6A0C39D0252522A9C448352858ACAACB

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:DsxFDD4/XqcOa6+z9n/v+sbJfjQWsRHjX5ZOEerILbaKVhbKANyszWL2hR:WFDuX8+z9OusRb5ATOVlN17

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file bi.exe has been seen being distributed by the following URL.

http://sub.holabonitina.com/installers/bi_downloader/.../setup.exe

Remove bi.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.