home

bi.exe

Site on Spot Limited

This is the Somoto BetterInstaller, an installer that bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application bi.exe by Site on Spot Limited has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Somoto BetterInstaller installer. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for third party applications, mostly adware toolbars, with legitimate softare. These offers are typically installed onto users' PCs by default, but may include an option to 'opt-out' during or after the installation process.
Publisher:
Site on Spot Limited  (signed and verified)

Version:
1.0.0.1

MD5:
e7ee50c9ce022b1f5ee6ba4d7fca4e93

SHA-1:
3977517671974111ae4519c275b6fb47227b2a6f

SHA-256:
be6b74505d269be2b67814e42ae6f469769173b84329ce8190e6e75172fb8231

Scanner detections:
17 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/5/2024 4:50:53 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Somoto.AG
634

AhnLab V3 Security
PUP/Win32.Somoto
2015.05.12

AVG
AdLoad.S
2016.0.3112

Baidu Antivirus
Adware.Win32.Somoto
4.0.3.15512

Bitdefender
Application.Bundler.Somoto.AG
1.0.20.660

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.Packed.28357
9.0.1.0132

ESET NOD32
Win32/Somoto.G potentially unwanted
9.11611

F-Secure
Application.Bundler.Somoto
11.2015-12-05_3

K7 AntiVirus
Unwanted-Program
13.203.15875

Kaspersky
not-a-virus:Downloader.Win32.Somato
14.0.0.2054

Malwarebytes
PUP.Optional.Somoto.SID.A
v2015.05.12.04

MicroWorld eScan
Application.Bundler.Somoto.AG
16.0.0.396

NANO AntiVirus
Trojan.Nsis.Downloader.dpxxrf
0.30.24.1357

Qihoo 360 Security
Win32/Virus.Downloader.912
1.0.0.1015

Reason Heuristics
Threat.Somoto.Installer
15.5.12.0

VIPRE Antivirus
Trojan.Win32.Generic
40154

File size:
418.2 KB (428,240 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Somoto BetterInstaller (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\windows\temp\{random}.tmp\bi.exe

Digital Signature
Signed by:
Site on Spot Limited

Authority:
thawte, Inc.

Valid from:
1/27/2015 10:00:00 PM

Valid to:
7/9/2015 8:59:59 PM

Subject:
CN=Site on Spot Limited, O=Site on Spot Limited, L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
477E336D7B42EDDDED42DABF6FAB572F

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:hFvO59rBrKMskwncP/rg1rIaaM+NTZfd+PQVt/6Rp:hFvo9drbB7WrDaRVfdCeBu

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file bi.exe has been seen being distributed by the following URL.

http://sub.sababaishen.com/installers/bi_downloader/.../setup.exe

Remove bi.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.