Trojan:Win32/Malgent!MSR detection has recently become widespread in Windows systems. It usually flags a real threat, particularly a dropper or a backdoor, which aim at delivering other malware to the system. However, these detections may be false positive, with certain types of programs often being detected for no obvious reason.
Despite the possibility of it being a false detection, I heavily emphasize to you to take all the recommended precautions. It is hard to detect stealthy malicious software with your naked eye, and backdoors are probably the most concealed of them. In this post, I will show how to understand that something is wrong, and see for sure whether you have any malicious software in your system.
Trojan:Win32/Malgent!MSR Overview
Trojan:Win32/Malgent!MSR is a Windows Defender detection that refers to backdoor-type malware. Its name is pretty self explanatory, “Malicious Agent”, meaning that it works with other malicious programs. Malgent is distributed through cracks/keygens for popular programs, pirated software, and other illegal programs. Among the most common shells for this malware are Windows and Office activators or “free versions” of system cleaners.
Sometimes, Trojan:Win32/Malgent!MSR can be a false positive detection. For example, not long ago, Windows Defender started flagging the Tor browser as Win32/Malgent!MSR. Although most vendors have corrected this false detection, at the time of writing this post, several vendors still detect certain installers of the program, as well as its executables as malicious.
Trojan:Win32/Malgent!MSR Technical Analysis
Let’s take a closer look at Trojan:Win32/Malgent!MSR uses an example of one of the malicious files. We will skip the false positives and focus on the malicious case. As mentioned earlier, this is a backdoor designed to provide remote access to the target system and deliver other malicious software. Overall, the behavior of this malware is similar to other backdoors; once launched, it performs typical anti-analysis/anti-VM checks. It goes through the following locations and registry values for the presence of a virtual environment or a debugger:
C:\Windows\System32\drivers\etc\hosts
HKEY_CURRENT_USER\Software\Classes\Local Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\System\Setup
Ther is also a static anti-detection and anti-analysis layer: malware is RC4-encoded. Although rather simple, it is more than enough to circumvent the protection of the most basic antivirus programs. Moreover, the malware executes shell code and launches certain processes to conceal its actions and, if possible, neutralizes security software.
C2 Communication
After making sure it is not running in a sandbox, Malgent virus connects to a command and control (C2) server. The malware sends GET requests to an Amazon EC2 address (ec2-15-207-207-64.ap-south-1.compute.amazonaws.com), targeting the resource rawmail.php with various parameters. These GET requests are directed to an Amazon EC2 instance. Judging by the URLs, the malware accesses or retrieves email data, as indicated by the parameters mailid, action=inbox, and param. The values of the param parameter are Base64 encoded strings. Decoding them yields the following:
SUFKVklOQFZJSk1WTkM= decodes to "IADVIN@VIJMVC".
SUFKVklOQFZJSkpWQEx decodes to "IADVIN@VIJJV@LC".
SFZKVklAQVZJTEFD decodes to "HFJVIN@AVILAC".
These values appear to be email identifiers or addresses.
In addition to this, the malware communicates with various IP addresses, including 15.207.207.64:80 (Amazon EC2), several Microsoft addresses such as 204.79.197.203:443 and 20.99.184.37:443, and internal addresses for NetBIOS services. Malicious actors often use hostings on services provided by those widely known names to avoid network filters.
Payload
At the final stage of its activity, Malgent launches the following processes. Most likely, they serve to put it to the low ready stage, so the malware deployments will happen pretty much instantly.
%SAMPLEPATH%\ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6.exe
%SAMPLEPATH%\notify.exe
C:\Windows\System32\wuapihost.exe -Embedding
The malware injects itself into the system process WMIADAP.EXE to hide its activity or utilize the resources of this process. It also creates a mutex “\Sessions\1\BaseNamedObjects\DBWinMutex” to prevent multiple instances of itself from running. The malware then drops a large number of temporary files and metadata into the WER\Temp directory (Windows Error Reporting).
C:\ProgramData\Microsoft\Windows\WER\Temp\WER11ED.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER12B8.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER12E8.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13D2.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13E3.tmp
And more…
These files are generally intended for storing crash information and system diagnostics. However, in this case, the malware uses them to store its data and to hide its activity.
How to Remove Trojan:Win32/Malgent!MSR
To clean your system and remove the malware, I recommend using Gridinsoft Anti-Malware. This effective solution not only cleans your system but also provides continuous protection against malware. Follow the instructions below:
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.