home

magent.exe

Mail.Ru Агент

LLC Mail.Ru

The application magent.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘MAgent’. While running, it connects to the Internet address c1.cdn.ovip.icq.com on port 80 using the HTTP protocol.
Publisher:
Mail.Ru  (signed by LLC Mail.Ru)

Product:
Mail.Ru Агент

Version:
6, 3, 8047, 0

MD5:
87fb0c18b54ee552ec82e15a70f44a82

SHA-1:
77211e7e33520ab5c9e23c4d8825ed73745d9554

SHA-256:
e381d4bb12f6e24c1f1787ed4fc55a94e70f65dc596f74616ed1568406ace634

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/6/2024 2:05:50 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.MailRu.G
14.9.2.22

File size:
35 MB (36,747,808 bytes)

Product version:
6, 3, 8047, 0

Copyright:
Copyright (C) 2001 - 2014

Original file name:
magent.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\mail.ru\agent\magent.exe

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
Thawte, Inc.

Valid from:
3/19/2014 7:00:00 AM

Valid to:
3/20/2015 6:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7BB5DEC99F34595AADEB59E1E5A0BD73

File PE Metadata
Compilation timestamp:
8/26/2014 11:39:44 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
393216:xBqWJ/op4wpihuI6nXHszbZP3REfzJROQfNtPfKOu252hBun2S:x9VbOHatPXQHPffu25aP

Entry address:
0xA22557

Entry point:
E8, 8B, 8B, 01, 00, E9, 39, FE, FF, FF, 6A, 03, E8, 3F, 8B, 01, 00, 59, 83, F8, 01, 74, 15, 6A, 03, E8, 32, 8B, 01, 00, 59, 85, C0, 75, 1F, 83, 3D, 28, BC, AB, 01, 01, 75, 16, 68, FC, 00, 00, 00, E8, 31, 00, 00, 00, 68, FF, 00, 00, 00, E8, 27, 00, 00, 00, 59, 59, C3, 55, 8B, EC, 8B, 4D, 08, 33, C0, 3B, 0C, C5, D0, 23, 6F, 01, 74, 0A, 40, 83, F8, 17, 72, F1, 33, C0, 5D, C3, 8B, 04, C5, D4, 23, 6F, 01, 5D, C3, 55, 8B, EC, 81, EC, FC, 01, 00, 00, A1, 10, 4B, A6, 01, 33, C5, 89, 45, FC, 56, 8B, 75, 08, 57, 56...
 
[+]

Code size:
17.9 MB (18,793,984 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MAgent

Command:
C:\users\{user}\appdata\roaming\mail.ru\agent\magent.exe -cu


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to mrim47.mail.ru  (94.100.191.58:2042)

TCP:
Connects to mrim67.mail.ru  (94.100.191.87:2042)

TCP:
Connects to mrim77.mail.ru  (217.69.141.226:2042)

TCP:
Connects to mrim37.i.mail.ru  (217.69.141.167:2042)

TCP:
Connects to mrim46.mail.ru  (94.100.191.57:2042)

TCP:
Connects to mrim66.mail.ru  (94.100.181.133:2042)

TCP:
Connects to mrim27.i.mail.ru  (217.69.141.158:2042)

TCP:
Connects to mrim34.i.mail.ru  (217.69.141.164:2042)

TCP:
Connects to mrim23.mail.ru  (94.100.186.145:2042)

TCP:
Connects to mrim75.mail.ru  (217.69.141.224:2042)

TCP:
Connects to mrim42.i.mail.ru  (217.69.141.172:2042)

TCP:
Connects to mrim36.i.mail.ru  (217.69.141.166:2042)

TCP:
Connects to mrim73.mail.ru  (217.69.141.222:2042)

TCP:
Connects to mrim40.i.mail.ru  (217.69.141.170:2042)

TCP:
Connects to mrim70.mail.ru  (217.69.141.217:2042)

TCP:
Connects to mrim59.mail.ru  (94.100.191.80:2042)

TCP (HTTP):
Connects to c1.cdn.ovip.icq.com  (178.237.20.21:80)

TCP:
Connects to myobraz4-vip.s.smailru.net  (217.69.141.196:2041)

TCP:
Connects to mrim24.i.mail.ru  (217.69.141.157:2042)

TCP:
Connects to mrim53.mail.ru  (94.100.191.74:2042)

Remove magent.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.