home

biclient.exe

Better Installer

Somoto Ltd.

Somoto uses a monetization platform known as the 'Better Installer' to provide the ability of 3rd party developers to bundle various adware packages through an affiliate pay-per-install program. The application biclient.exe, “Better Installer Host” by Somoto has been detected as adware by 17 anti-malware scanners. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for additional third party applications, mostly adware toolbars, with legitimate softare and may be installed without adequate user consent.
Publisher:
Somoto Ltd.  (signed and verified)

Product:
Better Installer

Description:
Better Installer Host

Version:
2.0.0.0

MD5:
92c732231b7909edeff180174c6ef499

SHA-1:
9a3475327fc02a2434383c1ff3b41c90fa27e2fe

SHA-256:
d4045cd1fc7ca786ca585ca163d2e0ec0065ee4c42a09f034d8001a382704a43

Scanner detections:
17 / 68

Status:
Adware

Explanation:
Uses the Somoto 'BetterInstaller' to bundle additional (unwanted) software during install without adequate consent.

Analysis date:
4/25/2024 11:42:22 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/Somoto.Gen2
7.11.123.168

avast!
Win32:Somoto-F [PUP]
2014.9-131221

Bkav FE
W32.Clod3e8.Trojan
1.3.0.4613

Boost by Reason
Optional.Somoto.I
188838

Comodo Security
Application.Win32.Somoto.d
17558

Dr.Web
Adware.Downware.1184
9.0.1.0359

ESET NOD32
Win32/Somoto
7.9255

F-Prot
W32/SomotoBetterInstaller.A
v6.4.7.1.166

G Data
Win32.Application.Somoto
13.12.22

herdProtect (fuzzy)
variant of bi_client.exe (Adware)
2013.12.25.0

Kaspersky
not-a-virus:Downloader.NSIS.Agent
14.0.0.4586

Malwarebytes
PUP.Optional.Somoto.A
v2013.12.21.05

McAfee
Artemis!92C732231B79
5600.7274

NANO AntiVirus
Trojan.Win32.Agent.cruvhh
0.28.0.57029

Reason Heuristics
PUP.BetterInstaller.Somoto.I
14.8.7.17

Sophos
Somoto BetterInstaller
4.96

Vba32 AntiVirus
Downloader.Agent
3.12.24.3

File size:
225.1 KB (230,480 bytes)

Product version:
2.0.0.0

Copyright:
(c) 2012 Somoto Ltd. All rights reserved.

Original file name:
BetterInstaller.exe

File type:
Executable application (Win32 EXE)

Digital Signature
Signed by:
Somoto Ltd.

Authority:
COMODO CA Limited

Valid from:
9/20/2011 9:00:00 AM

Valid to:
9/20/2014 8:59:59 AM

Subject:
CN=Somoto Ltd., O=Somoto Ltd., STREET=PO Box 58096, L=Tel Aviv, S=--, PostalCode=61580, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00841D099D16B738F34172FEEFE1D2574F

File PE Metadata
Compilation timestamp:
10/29/2012 9:47:13 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:7n9mtkIrxidB8D+WS6nj+fgOclZDeVxn/pkcgVLbQJR+6QWZb54vVsSIVT6IC:6XxK2jmXcEVVvgVLbQbZWcS

Entry address:
0x17F41

Entry point:
E8, 37, 6C, 00, 00, E9, 79, FE, FF, FF, 55, 8B, EC, 83, EC, 04, 89, 7D, FC, 8B, 7D, 08, 8B, 4D, 0C, C1, E9, 07, 66, 0F, EF, C0, EB, 08, 8D, A4, 24, 00, 00, 00, 00, 90, 66, 0F, 7F, 07, 66, 0F, 7F, 47, 10, 66, 0F, 7F, 47, 20, 66, 0F, 7F, 47, 30, 66, 0F, 7F, 47, 40, 66, 0F, 7F, 47, 50, 66, 0F, 7F, 47, 60, 66, 0F, 7F, 47, 70, 8D, BF, 80, 00, 00, 00, 49, 75, D0, 8B, 7D, FC, 8B, E5, 5D, C3, 55, 8B, EC, 83, EC, 10, 89, 7D, FC, 8B, 45, 08, 99, 8B, F8, 33, FA, 2B, FA, 83, E7, 0F, 33, FA, 2B, FA, 85, FF, 75, 3C, 8B...
 
[+]

Entropy:
6.3726

Code size:
136.5 KB (139,776 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-3-70.lhr5.r.cloudfront.net  (54.192.3.70:80)

TCP (HTTP):
Connects to ec2-54-200-80-90.us-west-2.compute.amazonaws.com  (54.200.80.90:80)

TCP (HTTP):
Connects to server-54-230-94-184.fra2.r.cloudfront.net  (54.230.94.184:80)

TCP (HTTP):
Connects to server-54-230-94-108.fra2.r.cloudfront.net  (54.230.94.108:80)

TCP (HTTP):
Connects to server-54-230-63-184.mad50.r.cloudfront.net  (54.230.63.184:80)

TCP (HTTP):
Connects to server-54-230-53-83.jfk6.r.cloudfront.net  (54.230.53.83:80)

TCP (HTTP):
Connects to server-54-230-53-15.jfk6.r.cloudfront.net  (54.230.53.15:80)

TCP (HTTP):
Connects to server-54-192-55-198.jfk6.r.cloudfront.net  (54.192.55.198:80)

TCP (HTTP):
Connects to server-52-85-63-84.lhr50.r.cloudfront.net  (52.85.63.84:80)

TCP (HTTP):
Connects to server-52-85-63-245.lhr50.r.cloudfront.net  (52.85.63.245:80)

TCP (HTTP):
Connects to server-52-85-151-90.hkg51.r.cloudfront.net  (52.85.151.90:80)

TCP (HTTP):
Connects to server-52-85-151-43.hkg51.r.cloudfront.net  (52.85.151.43:80)

TCP (HTTP):
Connects to server-52-85-151-32.hkg51.r.cloudfront.net  (52.85.151.32:80)

TCP (HTTP):
Connects to server-52-85-151-253.hkg51.r.cloudfront.net  (52.85.151.253:80)

TCP (HTTP):
Connects to server-52-85-151-214.hkg51.r.cloudfront.net  (52.85.151.214:80)

TCP (HTTP):
Connects to server-52-85-151-198.hkg51.r.cloudfront.net  (52.85.151.198:80)

TCP (HTTP):
Connects to server-52-85-151-151.hkg51.r.cloudfront.net  (52.85.151.151:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.224.176:80)

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

Remove biclient.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.