» csrss.exe
Overview
Analysis
File Details
Network (1)

csrss.exe

The executable csrss.exe has been detected as malware by 40 anti-virus scanners. While running, it connects to the Internet address www.turktelekom.com.tr on port 80 using the HTTP protocol.

File name:

csrss.exe

MD5:

a2aa4e162ed9aad18bc10bf280c03d52

SHA-1:

08c6a9d352ada45fa6509d630530519f2813bd22

SHA-256:

3f97bd398e585c2291758a50c741bf5ada64e32dc1c62e24794fb18c584cc500

Scanner detections:

40 / 68

Status:

Malware

Analysis date:

5/21/2024 8:32:37 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Generic.497594

684

Agnitum Outpost

I-Worm.Brontok

7.1.1

AhnLab V3 Security

Win-Trojan/Brontok.524288

2015.03.14

Avira AntiVirus

Worm/Brontok.D.5

7.11.217.28

avast!

Win32:Brontok-CE [Wrm]

2014.9-150322

AVG

Worm/Generic_c

2016.0.3162

Baidu Antivirus

Trojan.Win32.Agent

4.0.3.15322

Bitdefender

Win32.Generic.497594

1.0.20.405

Bkav FE

W32.RontokbroYO

1.3.0.6379

Clam AntiVirus

Worm.Brontok.S

0.98/21511

Comodo Security

Worm.Win32.Brontok.CE

21406

Dr.Web

BackDoor.Generic.3162

9.0.1.081

Emsisoft Anti-Malware

Win32.Generic.497594

8.15.03.22.06

ESET NOD32

Win32/Brontok.CE

9.11319

Fortinet FortiGate

W32/Brontok.C@mm

3/22/2015

F-Prot

W32/Brontok.EP@mm

4.6.5.141

F-Secure

Win32.Generic.497594

11.2015-22-03_1

G Data

Win32.Generic.497594

15.3.25

IKARUS anti.virus

Email-Worm.Win32.Brontok

t3scan.1.8.6.0

K7 AntiVirus

EmailWorm

13.200.15261

Kaspersky

Email-Worm.Win32.Brontok

14.0.0.2306

Malwarebytes

Trojan.Dropper

v2015.03.22.06

McAfee

W32/Rontokbro.worm

5600.6818

Microsoft Security Essentials

Worm:Win32/Brontok.M@mm

1.1.11400.0

MicroWorld eScan

Win32.Generic.497594

16.0.0.243

NANO AntiVirus

Trojan.Win32.Alman.btuxjj

0.30.0.296

Norman

Rontokbro

11.20150322

nProtect

Worm/W32.Brontok.45543.B

15.03.13.01

Panda Antivirus

W32/Brontok.N.worm

15.03.22.06

Qihoo 360 Security

Trojan.Generic

1.0.0.1015

Quick Heal

W32.Brontok.Q

3.15.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.12EE11FE!317592062

23.00.65.15320

Sophos

W32/Brontok-K

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-SV

9981

Total Defense

Win32/Robknot.BM

37.0.11493

Trend Micro House Call

WORM_RONTKBR.GEN

7.2.81

Trend Micro

WORM_RONTKBR.GEN

10.465.22

Vba32 AntiVirus

Trojan.VBRA.06574

3.12.26.3

VIPRE Antivirus

Email-Worm.Win32.Brontok.a

38410

ViRobot

I-Worm.Win32.Brontok.45543[h]

2014.3.20.0

File size:

44.5 KB (45,543 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\csrss.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

768:ref/+PHWTguw3tlp6PqHHyBw1+VTO6gGpF0XeTe4dXFexFFJN5pBwM02sYqv35B6:CHJDw3tlsY0wAQ2F0XeXeN35pBF02rcu

Entry address:

0x32FCE

Entry point:

E9, 81, D1, FC, FF, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, A5, 2F, 03, 00, 0C, 80, 02, 00... 
[+]

Packer / compiler:

RLPack FullEdition V1.1X

Code size:

512 Bytes (512 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to www.turktelekom.com.tr (195.175.254.2:80)

Remove csrss.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.