» magent_rfrset_damigo.exe
Overview
Analysis
File Details
Downloads (147)
Network (1)

magent_rfrset_damigo.exe

Mail.Ru Агент

LLC Mail.Ru

The application magent_rfrset_damigo.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from e.mail.ru and multiple other hosts. While running, it connects to the Internet address mra.mail.ru on port 80 using the HTTP protocol.

File name:

Publisher:

Mail.Ru (signed by LLC Mail.Ru)

Product:

Mail.Ru Агент

Version:

6, 5, 9316, 0

MD5:

596129ea34a9e97d5ccb07bf114daef3

SHA-1:

e59618448a1de1e668091d6d3a8dee09a2eaf353

SHA-256:

93fc1bb3589f96cdc87b3407a4c394ecf372b0048b8fc570cdd8a5568be73213

Scanner detections:

2 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 11:48:45 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Bkav FE

W32.HfsAdware

1.3.0.6379

Reason Heuristics

Win32.Generic.Installer.Meta

15.6.9.7

File size:

37.2 MB (39,006,440 bytes)

Product version:

6, 5, 9316, 0

Original file name:

magentsetup.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\downloads\realtek_ac97_audio_drivers_3331\magent_rfrset_damigo.exe

Digital Signature

Signed by:

LLC Mail.Ru

Authority:

Thawte, Inc.

Valid from:

8/13/2014 5:00:00 AM

Valid to:

8/13/2016 4:59:59 AM

Subject:

CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

07D04895757AB4AD4797D7585C09F8EE

File PE Metadata

Compilation timestamp:

6/2/2015 9:19:07 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

786432:aPgJvq9rgE8xghERLg0LAKzw13cdLfEZprHWF99yOlE1BG+YxVjc+dUXVOTdj:aPgZq9F8YERLg0Nzw5cJczbWgL1+TTd1

Entry address:

0x2C89E7

Entry point:

E8, 00, 0C, 01, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 6D, 8B, 45, 08, 85, C0, 75, 13, E8, 2D, 9B, 00, 00, 6A, 16, 5E, 89, 30, E8, 21, 14, 01, 00, 8B, C6, EB, 53, 57, 8B, 7D, 10, 85, FF, 74, 14, 39, 75, 0C, 72, 0F, 56, 57, 50, E8, 01, 1A, 00, 00, 83, C4, 0C, 33, C0, EB, 36, FF, 75, 0C, 6A, 00, 50, E8, 9F, 0A, 00, 00, 83, C4, 0C, 85, FF, 75, 09, E8, EC, 9A, 00, 00, 6A, 16, EB, 0C, 39, 75, 0C, 73, 13, E8, DE, 9A, 00, 00, 6A, 22, 5E, 89, 30, E8, D2, 13, 01, 00, 8B, C6... 
[+]

Code size:

4.1 MB (4,312,576 bytes)

The file magent_rfrset_damigo.exe has been seen being distributed by the following 50 URLs.

https://e.mail.ru/cgi-bin/link?check=1&cnf=f19360&url=https://.../exe1&msgid=14838447850000000034;0;0&x-email=dima.link.2002@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=5a3237&url=https://.../exe1&msgid=14698819840000000097;0;0&x-email=erik2407@mail.ru&js=1&redir=1

https://rfr.agent.mail.ru/magent_rfrset_1497.exe

http://rfr.agent.mail.ru/magent_rfr1552.exe

https://e.mail.ru/cgi-bin/link?check=1&cnf=adb5e2&url=https://.../exe1&msgid=14814227720000000495;0;0&x-email=azamat240483@mail.ru&js=1&redir=1

https://rfr.agent.mail.ru/magent_rfrdamigo1553.exe

https://e.mail.ru/cgi-bin/link?check=1&cnf=cfd24c&url=https://.../exe1&msgid=14839759730000000813;0;0&x-email=vitaliy1969kovalev@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=d0c672&url=https://.../exe1&msgid=14804991700000000126;0;0&x-email=dilbr@inbox.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=309d6d&url=https://.../exe1&msgid=14754004060000000056;0;0&x-email=gumka7676@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=769fc8&url=https://.../exe1&msgid=14806010520000000116;0;0&x-email=alibek.nazarov.81@mail.ru&js=1&redir=1

http://soft-file.ru/golink/http://.../magent.exe

https://e.mail.ru/cgi-bin/link?check=1&cnf=12d25b&url=https://.../exe1&msgid=14423729760000000492;0;0&x-email=adelelgohary2012@inbox.ru&js=1&redir=1

http://totalsoft.org/go.php?site=http://.../magent_rfrset.exe

https://e.mail.ru/cgi-bin/link?check=1&cnf=b60490&url=https://.../exe1&msgid=14776436300000000379;0;0&x-email=tatyanka.stepanova.78@list.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=d42d79&url=https://.../exe1&msgid=14677730900000000877;0;0&x-email=lopouhi1@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=b3e8e6&url=https://.../exe1&msgid=14429295920000000384;0;0&x-email=anpoy@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=5869b7&url=https://.../exe1&msgid=14677903210000000333;0;0&x-email=toshilin@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=e1a8c8&url=https://.../exe1&msgid=14770544160000000394;0;0&x-email=vasena1003@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=3c5351&url=https://.../exe1&msgid=14740366020000000283;0;0&x-email=sampilovazh@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=b08670&url=https://.../exe1&msgid=14790910480000000572;0;0&x-email=irihka-irusik@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=1132ba&url=https://.../exe1&msgid=14793520770000000028;0;0&x-email=boris.atamanov.63@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=3ac73f&url=https://.../exe1&msgid=14784360190000000008;0;0&x-email=anjela.petrosyan.11@bk.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=750d15&url=https://.../exe1&msgid=14458722160000000876;0;0&x-email=natali_savo4ka@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=f264f7&url=https://.../exe1&msgid=14743759540000000411;0;0&x-email=raul.refiyev@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=564fea&url=https://.../exe1&msgid=14774545320000000889;0;0&x-email=rezjba.1980@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=6235c4&url=https://.../exe1&msgid=14579573250000000387;0;0&x-email=marinakomisar@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=a09d50&url=https://.../exe1&msgid=14756613960000000722;0;0&x-email=luda.mila81@mail.ru&js=1&redir=1

http://oneprog.ru/goto/.../

https://e.mail.ru/cgi-bin/link?check=1&cnf=b69736&url=https://.../exe1&msgid=14556168060000000760;0;0&x-email=dianar_82@mail.ru&js=1&redir=1

https://e.mail.ru/cgi-bin/link?check=1&cnf=ac6f81&url=https://.../exe1&msgid=14758955390000000836;0;0&x-email=mila.myasnikova.75@mail.ru&js=1&redir=1

Latest 30 of 147 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to mra.mail.ru (94.100.180.128:80)

Remove magent_rfrset_damigo.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.