magent.exe

Mail.Ru Агент

LLC Mail.Ru

The application magent.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘MAgent’. The file has been seen being downloaded from cs02.userfiles.me. While running, it connects to the Internet address mrim24.i.mail.ru on port 2042.
Publisher:
Mail.Ru  (signed by LLC Mail.Ru)

Product:
Mail.Ru Агент

Version:
6, 0, 6015, 0

MD5:
298065bda95ac649fead1edd8dfc1a7e

SHA-1:
d594a9f98c5594de754f6ea8606a50e1a94f8653

SHA-256:
c8b9bab85f48cacc7f9e1f3af9651efe797d28aecd3b19be0793edeac17430e0

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:49:27 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Startup.G
14.3.28.18

File size:
27.1 MB (28,418,232 bytes)

Product version:
6, 0, 6015, 0

Copyright:
Copyright (C) 2001 - 2011

Original file name:
magent.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\mail.ru\agent\magent.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
12/9/2011 4:00:00 AM

Valid to:
2/7/2014 3:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C09DBBC732D4B58F7A88EBACF323417

File PE Metadata
Compilation timestamp:
12/17/2012 4:54:52 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
393216:e3W8/J/ZXA5I/klm83bHibDaiXxl72OQgFKs5fc24:vCRXMNmsHibDPXxxtQkc24

Entry address:
0x7B8AE7

Entry point:
E8, C6, A0, 01, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 56, 8D, 45, 08, 50, 8B, F1, E8, 06, 4F, FF, FF, C7, 06, 0C, A4, 31, 01, 8B, C6, 5E, 5D, C2, 04, 00, C7, 01, 0C, A4, 31, 01, E9, 16, 50, FF, FF, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, 0C, A4, 31, 01, E8, 03, 50, FF, FF, F6, 45, 08, 01, 74, 07, 56, E8, 39, 43, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, 57, 8B, 7D, 08, 8B, 47, 04, 85, C0, 74, 47, 8D, 50, 08, 80, 3A, 00, 74, 3F, 8B, 75, 0C, 8B, 4E, 04, 3B, C1, 74, 14, 83, C1, 08...
 
[+]

Code size:
14.3 MB (14,958,592 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MAgent

Command:
C:\users\{user}\appdata\roaming\mail.ru\agent\magent.exe -cu


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MAgent

Command:
C:\Program Files\mail.ru\agent\magent.exe -lm


The file magent.exe has been seen being distributed by the following URL.

http://cs02.userfiles.me/f/0/1419842466/39058254/0/.../magent-spaces.ru.exe

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to mrim57.mail.ru  (94.100.191.78:2042)

TCP:
Connects to mrim23.mail.ru  (94.100.186.145:2042)

TCP:
Connects to mrim65.mail.ru  (94.100.191.86:2042)

TCP:
Connects to mrim67.mail.ru  (94.100.191.87:2042)

TCP:
Connects to mrim36.i.mail.ru  (217.69.141.166:2042)

TCP:
Connects to mrim24.i.mail.ru  (217.69.141.157:2042)

TCP:
Connects to mrim45.i.mail.ru  (217.69.141.175:2042)

TCP:
Connects to mrim74.mail.ru  (217.69.141.223:2042)

TCP:
Connects to mrim70.mail.ru  (217.69.141.217:2042)

TCP:
Connects to mrim46.mail.ru  (94.100.191.57:2042)

TCP:
Connects to mrim75.mail.ru  (217.69.141.224:2042)

TCP:
Connects to mrim53.mail.ru  (94.100.191.74:2042)

TCP:
Connects to mrim34.i.mail.ru  (217.69.141.164:2042)

TCP:
Connects to mrim69.mail.ru  (217.69.141.216:2042)

TCP:
Connects to mrim62.mail.ru  (94.100.191.83:2042)

TCP:
Connects to mrim59.mail.ru  (94.100.191.80:2042)

TCP:
Connects to mrim55.mail.ru  (94.100.191.76:2042)

TCP:
Connects to mrim49.mail.ru  (94.100.191.60:2042)

TCP:
Connects to mrim43.i.mail.ru  (217.69.141.173:2042)

Remove magent.exe - Powered by Reason Core Security