csrss.exe

Submeter

AVG PC TuneUp 2014

The executable csrss.exe has been detected as malware by 6 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Hosting Service’. While running, it connects to the Internet address 95-170-88-217.colo.transip.net on port 8898.
Remove csrss.exe - Powered by Reason Core Security
Publisher:
AVG PC TuneUp 2014

Product:
Submeter

Description:
Bringal nonapp

Version:
1.04.0003

MD5:
d6ea37379798275a0843da53d0786367

SHA-1:
69be96891fd9e54d1614bef8921ad4f241b2610a

SHA-256:
0b9716ebaafdbdafc032c4592e88804cd19a520b3802874aa49402e0ebc63499

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
12/8/2016 3:10:02 PM UTC  (today)

Scan engine
Detection
Engine version

CMC Antivirus
Heur.Win32.Veebee.1!O
1.1.0.977

ESET NOD32
Win32/Injector.BFMF (variant)
8.9921

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.14608

VIPRE Antivirus
Trojan.Win32.Boaxxe.ljb
30146

Remove csrss.exe - Powered by Reason Core Security
File size:
232 KB (237,568 bytes)

Product version:
1.04.0003

Original file name:
Actinoca.exe

File type:
Executable application (Win32 EXE)

Language:
French (France)

Common path:
C:\users\{user}\appdata\local\temp\csrss.exe

File PE Metadata
Compilation timestamp:
6/10/2014 3:25:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:L/lssYysDE8kEylpuBggrnphHbgHdjLLiitoMoJCVSKAssAwDAss2isAssWeqQoN:LF8ZggrpBmTp6Mof9pdz

Entry address:
0x13F8

Entry point:
68, 8C, 15, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 38, 00, 00, 00, 00, 00, 00, 00, DF, 45, 73, 93, 36, FB, CC, 49, BA, EC, 59, 10, 60, C0, 26, 66, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, F6, 00, E8, 51, F7, 00, 64, 65, 66, 65, 69, 74, 00, 00, 00, 00, 00, 00, FF, CC, 31, 00, 04, 64, E0, F2, 0A, A1, 62, F4, 4D, AC, D6, B0, 14, 5B, 40, 34, C2, 0F, 3C, 9F, C8, B3, 5E, B5, 4F, B5, 39, C4, 23, 04, 45, 0E, 1E, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00, AA, 00, 60, D3, 93, 00, 00, 00...
 
[+]

Entropy:
7.2885

Developed / compiled with:
Microsoft Visual Basic v5.0/v6.0

Code size:
212 KB (217,088 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Hosting Service

Command:
C:\users\{user}\appdata\local\temp\csrss.exe


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to 95-170-88-217.colo.transip.net  (95.170.88.217:8898)

Remove csrss.exe - Powered by Reason Core Security