csrss.exe

Tests

Alchemy Lab

The executable csrss.exe has been detected as malware by 27 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Host-process Windows (Rundll32.exe)’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Remove csrss.exe - Powered by Reason Core Security
Publisher:
Alchemy Lab

Product:
Tests

Description:
Uzo

Version:
24682 52952 663701

MD5:
236d4f886d9eb6573f5c45dac3f83020

SHA-1:
4cff7d11a5cdd4502387f7365266fb5dcd6d24ea

SHA-256:
64bbdf13bff5737f1de6e664ad9060e2d01517ec7f027e2b81464b579c71ce4a

Scanner detections:
27 / 68

Status:
Malware

Analysis date:
12/10/2016 11:13:12 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1704921
970

Agnitum Outpost
Trojan.Agent
7.1.1

Avira AntiVirus
TR/Agent.100864.124
7.11.153.142

AVG
SHeur4
2015.0.3448

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14610

Bitdefender
Trojan.GenericKD.1704921
1.0.20.805

ByteHero BDV
Trojan.Malware.Obscu.Gen.004
6.10.2014.10

Commtouch SDK
W32/Trojan.EJHZ-7179
5.4.1.7

Emsisoft Anti-Malware
Trojan.GenericKD.1704921
8.14.06.10.09

ESET NOD32
Win32/Agent.PZL
8.9905

Fortinet FortiGate
W32/Agent.PZL!tr
6/10/2014

F-Prot
W32/Trojan3.INU
v6.4.7.1.166

G Data
Trojan.GenericKD.1704921
14.6.24

IKARUS anti.virus
Trojan-Spy.Zbot
t3scan.1.6.1.0

Kaspersky
Trojan.Win32.Reconyc
14.0.0.3733

Malwarebytes
Spyware.Zbot.VXGen
v2014.06.10.09

McAfee
RDN/Generic.tfr!ea
5600.7104

McAfee Web Gateway
RDN/Generic.tfr!ea
7.7104

Microsoft Security Essentials
Trojan:Win32/Shapouf.A
1.10600

MicroWorld eScan
Trojan.GenericKD.1704921
15.0.0.483

NANO AntiVirus
Trojan.Win32.Agent.dafktl
0.28.0.60100

Norman
Kryptik.CDVV
11.20140610

Qihoo 360 Security
Win32/Trojan.Multi.daf
1.0.0.1015

Rising Antivirus
PE:Trojan.Kryptik!1.9A50
23.00.65.14608

Trend Micro House Call
TROJ_FORUCON.BMC
7.2.161

Trend Micro
TROJ_FORUCON.BMC
10.465.10

VIPRE Antivirus
Trojan.Win32.Generic
30010

Remove csrss.exe - Powered by Reason Core Security
File size:
98.5 KB (100,864 bytes)

Product version:
24682 52952 5618

Copyright:
418407 551958

Original file name:
Lens.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\syswow64\csrss.exe

File PE Metadata
Compilation timestamp:
8/1/2005 5:40:39 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
1536:BtNpoNmzhiTwCTlC9nUmI78sLYcopMBFSimIaVrgwX0VmqfLqwfiFF:nIm4TwCBCRUDVbYtIaVcZfi

Entry address:
0x5D08

Entry point:
6A, 00, 68, E6, 9B, 40, 00, 6A, 00, 68, 8F, 01, 00, 00, 68, 00, 00, 40, 00, 8B, C4, 89, 05, 99, 3D, 41, 00, FF, 15, B4, A0, 40, 00, 83, C4, 08, 68, 55, B6, 40, 00, 68, 0D, BA, 40, 00, 68, CE, FF, 40, 00, 68, CC, CC, 40, 00, 68, C7, 35, 41, 00, 68, B3, 08, 41, 00, 68, 98, BA, 40, 00, 68, 67, C0, 40, 00, 68, 24, D2, 40, 00, FF, 15, 4C, A0, 40, 00, 68, D2, F8, 40, 00, 68, 1A, D1, 40, 00, 68, DC, 39, 41, 00, 68, 94, D2, 40, 00, 68, 11, 00, 41, 00, 68, 8D, 03, 41, 00, 68, 0E, 37, 41, 00, 68, EA, FD, 40, 00, 68...
 
[+]

Entropy:
5.6552

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
35.5 KB (36,352 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\windows\syswow64\csrss.exe


Remove csrss.exe - Powered by Reason Core Security