bfa0d68f.exe

Client Server Runtime Process

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable bfa0d68f.exe, “Client Server Runtime Process” has been detected as malware by 6 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘CSRSS’. While running, it connects to the Internet address ip-184-168-221-66.ip.secureserver.net on port 80 using the HTTP protocol.
Publisher:
Microsoft Corporation*  (Invalid match)

Product:
Microsoft® Windows® Operating System

Description:
Client Server Runtime Process

Version:
6.3.9600.16384 (winblue_rtm.130821-1623)

MD5:
7f2c0adb3ead048b6a4512b2495f5e43

SHA-1:
a10bb7d6c59ea4e2559ff8caeb6e4f0ea545c657

SHA-256:
595d3e3d6b5460a742c089f28caa8fae1c5b37d85daf82b47c3f9cdbac90281a

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
11/25/2017 2:46:55 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
160326-0

Emsisoft Anti-Malware
Gen:Trojan.Heur.2mKfXmcCJUjc
11.5.0.6191

ESET NOD32
Win32/Filecoder.ED trojan
8.0.319.0

F-Secure
Trojan.Heur.2mKfXmcCJUjc
5.15.96

Microsoft Security Essentials
Threat.Undefined
1.217.49.0

Norman
Gen:Trojan.Heur.2mKfXmcCJUjc
29.03.2016 06:29:16

File size:
866.5 KB (887,296 bytes)

Product version:
6.3.9600.16384

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
CSRSS.Exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\bfa0d68f.exe

File PE Metadata
Compilation timestamp:
1/16/2016 1:52:37 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:uOoJZTQUxyLJypJAwYKe2dhHH83OqESk2np5Mxca5eTZ+qXdhy78ZiZxYoS:uOkZT6nlKe+tmk2pWcaSMqXdhHiZ

Entry address:
0x215260

Entry point:
60, BE, 00, E0, 53, 00, 8D, BE, 00, 30, EC, FF, C7, 87, E8, BD, 20, 00, E0, D2, CD, 9B, 57, 89, E5, 8D, 9C, 24, 80, F1, FC, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 25, 3D, 21, 00, 57, 83, C3, 04, 53, 68, 5B, 72, 0D, 00, 56, 83, C3, 04, 53, 50, C7, 03, 07, 00, 04, 00, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9...
 
[+]

Entropy:
7.9987  (probably packed)

Code size:
864 KB (884,736 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CSRSS

Command:
"C:\ProgramData\drivers\csrss.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ssc002.abivia.net  (68.71.47.74:80)

TCP (HTTP):
Connects to braunderalumber.com  (50.28.54.35:80)

TCP (HTTP SSL):
Connects to freya.relay.torworld.org  (51.15.47.62:443)

TCP (HTTP):
Connects to agent.moxiworks.com  (205.234.73.198:80)

TCP (HTTP):
Connects to sl41.web.hostpoint.ch  (217.26.52.20:80)

TCP:
Connects to 114-227-47-212.rev.cloud.scaleway.com  (212.47.227.114:9001)

TCP:
Connects to 102.ip-167-114-245.eu  (167.114.245.102:9001)

TCP (HTTP):
Connects to w8b.rzone.de  (81.169.145.91:80)

TCP (HTTP SSL):
Connects to s4.supportedns.com  (173.248.191.184:443)

TCP (HTTP):
Connects to odedi19810.mywhc.ca  (158.69.241.2:80)

TCP (HTTP):
Connects to li1210-21.members.linode.com  (45.79.111.21:80)

TCP (HTTP):
Connects to lhcp1032.webapps.net  (185.2.4.32:80)

TCP (HTTP):
Connects to ip-166-62-115-254.ip.secureserver.net  (166.62.115.254:80)

TCP (HTTP):
Connects to ip-166-62-107-121.ip.secureserver.net  (166.62.107.121:80)

TCP (HTTP):
Connects to ip-166-62-10-181.ip.secureserver.net  (166.62.10.181:80)

TCP (HTTP):
Connects to ip-107-180-57-159.ip.secureserver.net  (107.180.57.159:80)

TCP (HTTP):
Connects to host.webhostingit.co.uk  (67.222.134.174:80)

TCP (HTTP):
Connects to caches32.rmkr.net  (107.170.208.114:80)

TCP (HTTP):
Connects to 32.149.96.66.static.eigbox.net  (66.96.149.32:80)

TCP (HTTP):
Connects to whistler2.hmdnsgroup.com  (63.247.138.141:80)

Remove bfa0d68f.exe - Powered by Reason Core Security