home

csrss.exe

The executable csrss.exe has been detected as malware by 36 anti-virus scanners. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.
MD5:
8fbb3209541031dc14dd28517698971f

SHA-1:
d70b776bf18da747d57aab21c854203eb30d0cd4

SHA-256:
b3203dc96ca735496ab75f15b1cf4cda6eca02eba2b108de3c3502205ff948af

Scanner detections:
36 / 68

Status:
Malware

Analysis date:
4/24/2024 4:02:25 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
I-Worm.Brontok.R
7.1.1

AhnLab V3 Security
Worm/Win32.Brontok
2013.01.29

Avira AntiVirus
Worm/Brontok.C
7.11.58.228

avast!
Win32:Malware-gen
2014.9-150827

AVG
I-Worm/Brontok.X
2016.0.3004

Bitdefender
Win32.Generic.5471
1.0.20.1195

Clam AntiVirus
Worm.Brontok.E
0.98/18155

Comodo Security
Worm.Win32.Brontok
15079

Dr.Web
BackDoor.Generic.3197
9.0.1.0239

Emsisoft Anti-Malware
Win32.Generic.5471
8.15.08.27.06

ESET NOD32
Win32/Brontok
9.7941

Fortinet FortiGate
W32/Brontok.C@mm
8/27/2015

F-Prot
W32/Brontok.C.gen
v6.4.6.5.141

F-Secure
Win32.Generic.5471
11.2015-27-08_5

G Data
Win32.Generic.5471
15.8.22

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.3.5.0

K7 AntiVirus
EmailWorm
13.158.8156

Kaspersky
Email-Worm.Win32.Brontok
14.0.0.1516

Malwarebytes
Worm.Brontok
v2015.08.27.06

McAfee
W32/Rontokbro.gen@MM
5600.6660

Microsoft Security Essentials
Worm:Win32/Brontok@mm
1.163.1557.0

MicroWorld eScan
Win32.Generic.5471
16.0.0.717

NANO AntiVirus
Trojan.Win32.Brontok.bmcat
0.22.8.49711

Norman
Rontokbro
11.20150827

nProtect
Win32.Generic.5471
13.01.28.02

Panda Antivirus
W32/Brontok.GS.worm
15.08.27.06

Quick Heal
W32.Brontok.Q
8.15.12.00

Rising Antivirus
Trojan.Win32.Mnless.dyr
23.00.65.15825

Sophos
W32/Brontok-E
4.85

SUPERAntiSpyware
Trojan.Agent/Gen-Krotche
9665

Total Defense
Win32/Robknot.J
37.0.10268

Trend Micro House Call
TROJ_SPNR.29L511
7.2.239

Trend Micro
TROJ_SPNR.29L511
10.465.27

Vba32 AntiVirus
Email-Worm.Win32.Brontok.q
3.12.18.5

VIPRE Antivirus
Email-Worm.Win32.Brontok.ik
15260

ViRobot
I-Worm.Win32.Brontok.42734.A
2011.4.7.4223

File size:
1.1 MB (1,160,942 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\csrss.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:SMu/ynm/Kr7sYp/2oUQZBaqGte5ooGNzcix/ptaPv35BMC:sEm/87sYpTCtf5zco7o5

Entry address:
0x2F4D5

Entry point:
E9, 7A, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, AC, F4, 02, 00, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Packer / compiler:
MEW, 0x11 SE v1.2

Code size:
512 Bytes (512 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.ne1.yahoo.com  (98.138.253.109:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.ne1.yahoo.com  (98.138.252.38:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.bf1.yahoo.com  (98.139.180.180:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.bf1.yahoo.com  (98.139.180.149:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.bf1.yahoo.com  (98.139.183.24:443)

Remove csrss.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.