bitool.dll

Somoto Ltd.

Somoto uses a monetization platform known as the 'Better Installer' to provide the ability of 3rd party developers to bundle various adware packages through an affiliate pay-per-install program. The module bitool.dll by Somoto has been detected as adware by 8 anti-malware scanners. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for third party applications, mostly adware toolbars, with legitimate softare. These offers are typically installed onto users' PCs by default, but may include an option to 'opt-out' during or after the installation process.
Publisher:
Somoto Ltd.  (signed and verified)

MD5:
13a09becabce7ce7de02d42d9c00a250

SHA-1:
40ce0a58e99858007e5dcd0bb5bf6a122686a917

SHA-256:
b1f3a0534d9f847ba540ae37258f794bb2d8bb779389ac6753f365a78fb5ab9c

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
12/7/2019 5:37:32 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Somoto-J [PUP]
2014.9-131203

Bkav FE
W32.Clod332.Trojan
1.3.0.4562

Dr.Web
Adware.Somoto.15
9.0.1.0337

Emsisoft Anti-Malware
Application.Win32.InstallAd
8.13.12.03.09

ESET NOD32
Win32/Somoto
7.9124

Malwarebytes
PUP.Optional.Somoto
v2013.12.03.09

Reason Heuristics
PUP.Somoto.G
14.8.7.17

XVirus List
Win32.Detected
2.8.7

File size:
37.6 KB (38,456 bytes)

File type:
Dynamic link library (Win32 DLL)

Common path:
C:\users\{user}\appdata\local\temp\bitool.dll

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
9/20/2011 2:00:00 AM

Valid to:
9/20/2014 1:59:59 AM

Subject:
CN=Somoto Ltd., O=Somoto Ltd., STREET=PO Box 58096, L=Tel Aviv, S=--, PostalCode=61580, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00841D099D16B738F34172FEEFE1D2574F

File PE Metadata
Compilation timestamp:
5/3/2013 12:03:15 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
768:11NiCLH+xD7OgYI1FRJkU4qPAQp66VyTxMZ2OKUHLwgWIxhXg:BiEexBYI1994qPApTx+2OKmLwyhXg

Entry address:
0x54CF

Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, 37, 04, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, CC, FE, FF, FF, 59, 5D, C2, 0C, 00, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, E8, 81, 00, 10, 89, 0D, E4, 81, 00, 10, 89, 15, E0, 81, 00, 10, 89, 1D, DC, 81, 00, 10, 89, 35, D8, 81, 00, 10, 89, 3D, D4, 81, 00, 10, 66, 8C, 15, 00, 82, 00, 10, 66, 8C, 0D, F4, 81, 00, 10, 66, 8C, 1D, D0, 81, 00, 10, 66, 8C, 05, CC, 81, 00, 10, 66, 8C, 25, C8, 81, 00, 10, 66, 8C, 2D, C4, 81, 00, 10, 9C, 8F, 05, F8, 81...
 
[+]

Code size:
20 KB (20,480 bytes)

The file bitool.dll has been seen being distributed by the following 2 URLs.

Remove bitool.dll - Powered by Reason Core Security