00000002

Somoto Ltd.

Somoto uses a monetization platform known as the 'Better Installer' to provide the ability of 3rd party developers to bundle various adware packages through an affiliate pay-per-install program. The file 00000002 by Somoto has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Somoto BetterInstaller installer. The file has been seen being downloaded from downloadnix.com.
Publisher:
Somoto Ltd.  (signed and verified)

MD5:
3e22b022c0dbb7f863eea00a06fb8b99

SHA-1:
6dc6de3ead2676356daffdfde7d66c402deb55b1

SHA-256:
264be91f7cc94ee80314de7066b599d2acbd9fe0e56aaf7ad52d23a3b075d9c1

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/23/2024 9:32:42 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Somoto.Bundler (M)
16.2.13.19

File size:
220 KB (225,272 bytes)

Bundler/Installer:
Somoto BetterInstaller

Common path:
C:\users\{user}\appdata\local\google\chrome\user data\default\file system\000\t\00\00000002

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
7/2/2014 7:00:00 AM

Valid to:
7/3/2015 6:59:59 AM

Subject:
CN=Somoto Ltd., O=Somoto Ltd., L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6A0C39D0252522A9C448352858ACAACB

File PE Metadata
Compilation timestamp:
12/17/2010 4:14:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
6144:iA0m3D0oD1WtYfULhXGwBtU8/BkIV7uDRFt4:iA0iD0ojfeG2t91V7uDRF+

Entry address:
0x39AC

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, 7C, 01, 00, 00, E8, 97, 46, 00, 00, 83, EC, 0C, 68, 01, 80, 00, 00, E8, 42, 43, 00, 00, 6A, 00, E8, AB, 46, 00, 00, 6A, 08, A3, 88, 4C, 42, 00, E8, B1, 28, 00, 00, 6A, 00, 68, 60, 01, 00, 00, A3, 38, 4D, 42, 00, 8D, 85, 90, FE, FF, FF, 50, 6A, 00, 68, A4, A2, 40, 00, E8, F0, 45, 00, 00, 83, EC, 0C, 68, A5, A2, 40, 00, 68, 68, 4D, 42, 00, E8, EF, 2A, 00, 00, 83, C4, 18, E8, FE, 42, 00, 00, 52, 52, 50, 68, 00, D0, 42, 00, E8, DA, 2A, 00, 00, 57, 6A, 00, E8, 39, 42, 00, 00, 83...
 
[+]

Code size:
28.5 KB (29,184 bytes)

The file 00000002 has been seen being distributed by the following URL.

Remove 00000002 - Powered by Reason Core Security