nsm7b4c.tmp

Somoto Ltd

The file nsm7b4c.tmp by Somoto has been detected as a potentially unwanted program by 27 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for additional third party applications, mostly adware toolbars, with legitimate softare and may be installed without adequate user consent. The file has been seen being downloaded from sub.spirlymo.com.
Publisher:
Somoto Ltd  (signed and verified)

Version:
1.0.0.1

MD5:
f4892f5ec2f4d7aed9cdb770c6849c2f

SHA-1:
1ab4da41f67f152215f378c641c38f0aa590008d

SHA-256:
60d5f863fde183a8f99c3115a4398f3ce53aa11df3351d90a696d49c8a5eb95b

Scanner detections:
27 / 68

Status:
Potentially unwanted

Explanation:
Uses the Somoto 'BetterInstaller' to bundle additional (unwanted) software during install without adequate consent.

Analysis date:
10/24/2018 4:41:21 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Somoto.AG
425

AhnLab V3 Security
PUP/Win32.Somoto
2015.12.07

Avira AntiVirus
PUA/Somoto.Gen2
8.3.2.4

Arcabit
Application.Bundler.Somoto.AG
1.0.0.628

AVG
AdLoad.S
2016.0.2903

Baidu Antivirus
Adware.Win32.Somoto
4.0.3.15127

Bitdefender
Application.Bundler.Somoto.AG
1.0.20.1705

Bkav FE
W32.HfsAdware
1.3.0.7383

Clam AntiVirus
Win.Adware.Somoto-2
0.98/21511

Comodo Security
Application.Win32.Somoto.GH
23690

Dr.Web
Adware.Somoto.139
9.0.1.0341

ESET NOD32
Win32/Somoto.G potentially unwanted
9.12680

F-Prot
W32/Trojan2.OUSK
v6.4.7.1.166

F-Secure
Application.Bundler.Somoto
11.2015-07-12_2

IKARUS anti.virus
PUA.Somoto
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.212.18027

Kaspersky
not-a-virus:Downloader.Win32.Somato
14.0.0.1010

Malwarebytes
PUP.Optional.Somoto
v2015.12.07.01

MicroWorld eScan
Application.Bundler.Somoto.AG
16.0.0.1023

NANO AntiVirus
Riskware.Nsis.Adware.dshbbp
0.30.26.5051

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1077

Reason Heuristics
PUP.Somoto.Installer (M)
15.12.7.1

Sophos
Somoto BetterInstaller (PUA)
4.98

SUPERAntiSpyware
PUP.Somoto/Variant
9463

Trend Micro House Call
ADW_TOMOS.SMN
7.2.341

Trend Micro
ADW_TOMOS.SMN
10.465.07

VIPRE Antivirus
Trojan.Win32.Generic
45658

File size:
420.8 KB (430,904 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nsm7b4c.tmp

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
6/23/2015 7:00:00 PM

Valid to:
8/22/2016 6:59:59 PM

Subject:
CN=Somoto Ltd, O=Somoto Ltd, L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
02FED381427052F6E66365A4627FB0ED

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:TFWtnpi1N8UrbKOfHimEb1KPFJG2dYY+7b:TFWhOrBHimESFJx8/

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9417

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file nsm7b4c.tmp has been seen being distributed by the following URL.

Remove nsm7b4c.tmp - Powered by Reason Core Security