home

nsfe8c1.tmp

Somoto Ltd

The file nsfe8c1.tmp by Somoto has been detected as a potentially unwanted program by 29 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for additional third party applications, mostly adware toolbars, with legitimate softare and may be installed without adequate user consent. The file has been seen being downloaded from sub.spirlymo.com.
Publisher:
Somoto Ltd  (signed and verified)

Version:
1.0.0.1

MD5:
269c8a4f53a78ee1b8f788e74f6a7e50

SHA-1:
7d5b25514e0414164062ffce0d86af268c45290f

SHA-256:
89d943ca992776e6401bc3c86725677115a22084961a5b6fc6923ad1e20b5134

Scanner detections:
29 / 68

Status:
Potentially unwanted

Explanation:
Uses the Somoto 'BetterInstaller' to bundle additional (unwanted) software during install without adequate consent.

Analysis date:
4/16/2024 5:56:03 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Somoto.AG
421

AhnLab V3 Security
PUP/Win32.Somoto
2015.12.05

Avira AntiVirus
PUA/Somoto.Gen2
8.3.2.4

Arcabit
Application.Bundler.Somoto.AG
1.0.0.628

AVG
AdLoad.S
2016.0.2899

Baidu Antivirus
Adware.Win32.Somoto
4.0.3.151211

Bitdefender
Application.Bundler.Somoto.AG
1.0.20.1725

Bkav FE
W32.HfsAdware
1.3.0.7383

Clam AntiVirus
Win.Adware.Somoto-2
0.98/21511

Comodo Security
Application.Win32.Somoto.GH
23690

Dr.Web
Adware.Somoto.139
9.0.1.0345

ESET NOD32
Win32/Somoto.G potentially unwanted
9.12674

F-Prot
W32/Trojan2.OUSK
v6.4.7.1.166

F-Secure
Application.Bundler.Somoto
11.2015-11-12_6

IKARUS anti.virus
PUA.Somoto
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.212.18027

Kaspersky
not-a-virus:Downloader.Win32.Somato
14.0.0.988

Malwarebytes
PUP.Optional.Somoto
v2015.12.11.10

McAfee
Artemis!269C8A4F53A7
5600.6555

MicroWorld eScan
Application.Bundler.Somoto.AG
16.0.0.1035

NANO AntiVirus
Riskware.Nsis.Adware.dshbbp
0.30.26.5051

Panda Antivirus
PUP/Somoto
15.12.11.10

Qihoo 360 Security
Win32/Virus.Downloader.9c9
1.0.0.1077

Reason Heuristics
PUP.Somoto.Installer (M)
15.12.11.10

Sophos
Somoto BetterInstaller (PUA)
4.98

SUPERAntiSpyware
PUP.Somoto/Variant
9454

Trend Micro House Call
ADW_TOMOS.SMN
7.2.345

Trend Micro
ADW_TOMOS.SMN
10.465.11

VIPRE Antivirus
Trojan.Win32.Generic
45626

File size:
420.8 KB (430,912 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nsfe8c1.tmp

Digital Signature
Signed by:
Somoto Ltd

Authority:
Symantec Corporation

Valid from:
6/24/2015 6:00:00 AM

Valid to:
8/23/2016 5:59:59 AM

Subject:
CN=Somoto Ltd, O=Somoto Ltd, L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
02FED381427052F6E66365A4627FB0ED

File PE Metadata
Compilation timestamp:
12/6/2009 4:50:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:GsxFDEEnmpxU5LIsgxIaB1oE4SuY1aqLMYmSK4iQvNzxv4wRPWutM5gsHU53AT0/:rFDEOpLI2aBUfY1zm1yNqGezTOXaji

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9415

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file nsfe8c1.tmp has been seen being distributed by the following URL.

http://sub.spirlymo.com/installers/bi_downloader/.../setup.exe

Remove nsfe8c1.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.