» csrss.exe
Overview
Analysis
File Details
Behaviors (1)
Network (3)

csrss.exe

The executable csrss.exe has been detected as malware by 39 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-1893’. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.

File name:

csrss.exe

MD5:

38b9ef80895a86ec6b1e4ad08bc61d67

SHA-1:

7addcdd62bd68692ec57d337a4dc6a2f55fe8fb9

SHA-256:

c0754d99f4bec88679d14e879c7dec5f94818e630dbba7fccd97c0e6e3e3851b

Scanner detections:

39 / 68

Status:

Malware

Analysis date:

5/21/2024 10:21:24 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Generic.497594

170

Agnitum Outpost

I-Worm.Brontok

7.1.1

AhnLab V3 Security

Win-Trojan/Brontok.524288

2015.07.03

Avira AntiVirus

WORM/Brontok.D.5

8.3.1.6

Arcabit

Win32.Generic.497594

1.0.0.425

avast!

Win32:Brontok-CE [Wrm]

2014.9-160818

AVG

Worm/Generic_c

2017.0.2648

Bitdefender

Win32.Generic.497594

1.0.20.1155

Bkav FE

W32.RontokbroYO

1.3.0.6979

Clam AntiVirus

Worm.Brontok.S

0.98/21511

Comodo Security

Worm.Win32.Brontok.CE

22647

Dr.Web

BackDoor.Generic.3162

9.0.1.0231

Emsisoft Anti-Malware

Win32.Generic.497594

8.16.08.18.06

ESET NOD32

Win32/Brontok.CE

10.11881

Fortinet FortiGate

Riskware/Generic.AC.1023

8/18/2016

F-Prot

W32/Brontok.C.gen

v6.4.7.1.166

F-Secure

Win32.Generic.497594

11.2016-18-08_5

G Data

Win32.Generic.497594

16.8.25

IKARUS anti.virus

Email-Worm.Win32.Brontok

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.205.16443

Kaspersky

Email-Worm.Win32.Brontok

14.0.0.-266

Malwarebytes

Worm.Brontok

v2016.08.18.06

McAfee

W32/Rontokbro.gen@MM

5600.6304

Microsoft Security Essentials

Worm:Win32/Brontok.M@mm

1.1.11804.0

MicroWorld eScan

Win32.Generic.497594

17.0.0.693

NANO AntiVirus

Trojan.Win32.Alman.btuxjj

0.30.24.2320

nProtect

Win32.Generic.497594

15.07.02.01

Panda Antivirus

W32/Brontok.N.worm

16.08.18.06

Qihoo 360 Security

HEUR/QVM18.1.Malware.Gen

1.0.0.1015

Quick Heal

W32.Brontok.Q

8.16.14.00

Rising Antivirus

PE:Trojan.Win32.Mnless.dyr!1075184010

23.00.65.16816

Sophos

W32/Brontok-K

4.98

Total Defense

Win32/Robknot.BM

37.1.62.1

Trend Micro House Call

WORM_RONTKBR.GEN

7.2.231

Trend Micro

WORM_RONTKBR.GEN

10.465.18

Vba32 AntiVirus

TScope.Trojan.VB

3.12.26.4

VIPRE Antivirus

Email-Worm.Win32.Brontok.ik

41662

ViRobot

I-Worm.Win32.Brontok.45543[h]

2014.3.20.0

Zillya! Antivirus

Worm.Brontok.Win32.321

2.0.0.2267

File size:

2.2 MB (2,281,959 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\csrss.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

3072:C+U0uXe3PTbrg+U0uXe3PTbrg+U0uXe3PTbr:Cne3PTone3PTone3PT

Entry address:

0x32FCE

Entry point:

E9, 81, D1, FC, FF, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, A5, 2F, 03, 00, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

0.6955

Packer / compiler:

MEW, 0x11 SE v1.2

Code size:

512 Bytes (512 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Tok-Cirrhatus-1893

Command:

"C:\users\{user}\appdata\local\br4809on.exe"

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to ats.sbs.vip.dc11.lumsb.com (8.12.146.61:443)

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.121:80)

TCP (HTTP):

Connects to clipart.geo.vip.bf1.yahoo.com (98.137.201.117:80)

Remove csrss.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.