» snegiri.exe
Overview
Analysis
File Details
Downloads (1)

snegiri.exe

Salyutem Plyus LLC

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application snegiri.exe by Salyutem Plyus has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from af9.ru.

File name:

snegiri.exe

Publisher:

Salyutem Plyus LLC (signed and verified)

Version:

1.0.0.0

MD5:

2a7804aac2b347664803bf090965460e

SHA-1:

a8d7a123cbc19bf0eecfd8361c6854645a48e2e8

SHA-256:

10698e88f76715447c7d4571a5c837a355b3d532476afcc3735a9fadf5d5e3e1

Scanner detections:

12 / 68

Status:

Adware

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

5/6/2024 8:42:31 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Riskware.Agent

7.1.1

Avira AntiVirus

APPL/InstallMon.enib

7.11.199.92

avast!

Win32:Dropper-gen [Drp]

141214-1

AVG

Generic

2016.0.3238

Dr.Web

Trojan.InstallMonster.1097

9.0.1.05190

ESET NOD32

Win32/InstallMonstr.HR potentially unwanted application

7.0.302.0

K7 AntiVirus

Unwanted-Program

13.1814525

Norman

InstallMonstr.S

11.20150106

Reason Heuristics

PUP.SalyutemPlyus.H

15.1.4.13

Sophos

PUA 'Install Monster'

Vba32 AntiVirus

Signed-Downware.InstallMonstr

3.12.26.3

VIPRE Antivirus

Threat.4150696

36340

File size:

5.4 MB (5,619,632 bytes)

Product version:

1.0.0.0

File type:

Executable application (Win32 EXE)

Bundler/Installer:

OutBrowse Revenyou

Common path:

C:\users\{user}\downloads\snegiri.exe

Digital Signature

Signed by:

Salyutem Plyus LLC

Authority:

thawte, Inc.

Valid from:

12/15/2014 4:00:00 AM

Valid to:

12/16/2015 3:59:59 AM

Subject:

CN=Salyutem Plyus LLC, O=Salyutem Plyus LLC, L=Kharkiv, S=Arkansas, C=UA

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

6B6BB9E1A48F64F47503D8DCF6A5D0D3

File PE Metadata

Compilation timestamp:

6/20/1992 2:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

98304:11cUk5W8tKY0J1LkQ4uLo3/nAvBGe2XLk+/RRheblKBFFmk17RXRNk5CpDookr4D:12dI2KDJdkQ44o3PACLb/7heb4FFmkb/

Entry address:

0x8C1CE0

Entry point:

60, BE, 00, 10, 83, 00, 8D, BE, 00, 00, BD, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Packer / compiler:

UPX 2.90LZMA

Code size:

4.6 MB (4,792,320 bytes)

The file snegiri.exe has been seen being distributed by the following URL.

http://af9.ru/bWJlamhnY29pY3hsd3BybmdvbW1tY2t2dWlqYmNtdmNibXNkZ2l4eyJzaWQiOiIyNjA4IiwidXJsIjoiaHR0cDpcL1wvcHJlc2VudDUuY29tXC9kb3dubG9hZFwvcHJlemVudFwvU25lZ2lyaS5wcHQiLCJuYW1lIjoiU25lZ2lyaSIsInR5cGUiOiJwb3dlcnBvaW50Iiwic2l6ZSI6MCwidmVyIjoiMSIsInJuZDAiOiJkZWI0YWFkYzAxYTUxYWQ5ODkxYjEyYWQ2OGJkMGE5NSJ9

Remove snegiri.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.