» csrss.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

csrss.exe

The executable csrss.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘csrss’. This trojon will perform a number of actions that will compromise a PC including changing protected system registry values, hiding in protected operating system locations and downloading and installing additional malware. While running, it connects to the Internet address ip-91-197-13-28.gadu-gadu.pl on port 8074.

File name:

csrss.exe

MD5:

8587b48488444e2c2e90d3605774f32b

SHA-1:

39af2b0c1f3ccfa593890ec9fd118ecdb12501b1

Scanner detections:

37 / 68

Status:

Malware

Analysis date:

4/24/2024 4:16:46 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.1032816

358

Agnitum Outpost

Trojan.DL.Agent

7.1.1

AhnLab V3 Security

Downloader/Win32.Agent

2016.01.07

Arcabit

Trojan.Generic.DFC270

1.0.0.642

avast!

Win32:AutoRun-AZF [Wrm]

2014.9-160211

AVG

Win32/DH{YWc?}

2017.0.2836

Baidu Antivirus

Worm.Win32.Agent

4.0.3.16211

Bitdefender

Trojan.Generic.1032816

1.0.20.210

Bkav FE

HW32.Packed

1.3.0.7400

Clam AntiVirus

Win.Trojan.Agent-368640

0.98/21511

Comodo Security

TrojWare.Win32.Downloader.Agent.anho

23930

Dr.Web

Trojan.Click.25243

9.0.1.042

Emsisoft Anti-Malware

Trojan.Generic.1032816

8.16.02.11.08

ESET NOD32

Win32/AutoRun.Agent.DR

10.12832

Fortinet FortiGate

W32/AutoRun.DRN!worm

2/11/2016

F-Prot

W32/Downldr2.ICUY

v6.4.7.1.166

F-Secure

Trojan.Generic.1032816

11.2016-11-02_5

G Data

Trojan.Generic.1032816

16.2.25

IKARUS anti.virus

Trojan-Dropper.Agent

t3scan.1.9.5.0

K7 AntiVirus

Trojan-Downloader

13.212.18353

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.676

McAfee

Generic.dx!8587B4848844

5600.6492

Microsoft Security Essentials

Trojan:Win32/Malagent!gmb

1.1.12400.0

MicroWorld eScan

Trojan.Generic.1032816

17.0.0.126

NANO AntiVirus

Trojan.Win32.Agent.dgkdg

1.0.14.5380

nProtect

Trojan-Downloader/W32.Agent.313856.C

16.01.07.01

Panda Antivirus

Trj/Genetic.gen

16.02.11.08

Qihoo 360 Security

Win32/Trojan.Downloader.fe9

1.0.0.1077

Quick Heal

TrojanDownloader.Agent.r3

2.16.14.00

Rising Antivirus

PE:Malware.Generic(Thunder)!1.A1C4 [F]

23.00.65.16209

Sophos

Mal/Behav-034

4.98

Trend Micro House Call

WORM_AGENT.SMY

7.2.42

Trend Micro

WORM_AGENT.SMY

10.465.11

Vba32 AntiVirus

BScope.Trojan.Agent

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic

46326

ViRobot

Trojan.Win32.Downloader.313856.K[h]

2014.3.20.0

Zillya! Antivirus

Downloader.Agent.Win32.44573

2.0.0.2596

File size:

306.5 KB (313,856 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\system\csrss.exe

File PE Metadata

Compilation timestamp:

4/13/2008 6:57:48 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.0

CTPH (ssdeep):

6144:ti+/EwG4q4olt7/XNK8ppMItjE3h+9IrlGb7dNjhxn5RAE:ti+/EwG4dolV/Xw8ZIrgvdFhx5mE

Entry address:

0xD7E90

Entry point:

60, BE, 00, D0, 48, 00, 8D, BE, 00, 40, F7, FF, C7, 87, 98, 70, 0A, 00, 00, 10, 97, B4, 57, EB, 11, 90, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46... 
[+]

Code size:

304 KB (311,296 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

csrss

Command:

C:\windows\system\csrss.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.120:80)

TCP:

Connects to ip-91-197-13-28.gadu-gadu.pl (91.197.13.28:8074)

Remove csrss.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.