csrss.exe

The executable csrss.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘csrss’. This trojon will perform a number of actions that will compromise a PC including changing protected system registry values, hiding in protected operating system locations and downloading and installing additional malware. While running, it connects to the Internet address ip-91-197-13-28.gadu-gadu.pl on port 8074.
MD5:
8587b48488444e2c2e90d3605774f32b

SHA-1:
39af2b0c1f3ccfa593890ec9fd118ecdb12501b1

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
11/5/2024 7:10:18 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.1032816
358

Agnitum Outpost
Trojan.DL.Agent
7.1.1

AhnLab V3 Security
Downloader/Win32.Agent
2016.01.07

Arcabit
Trojan.Generic.DFC270
1.0.0.642

avast!
Win32:AutoRun-AZF [Wrm]
2014.9-160211

AVG
Win32/DH{YWc?}
2017.0.2836

Baidu Antivirus
Worm.Win32.Agent
4.0.3.16211

Bitdefender
Trojan.Generic.1032816
1.0.20.210

Bkav FE
HW32.Packed
1.3.0.7400

Clam AntiVirus
Win.Trojan.Agent-368640
0.98/21511

Comodo Security
TrojWare.Win32.Downloader.Agent.anho
23930

Dr.Web
Trojan.Click.25243
9.0.1.042

Emsisoft Anti-Malware
Trojan.Generic.1032816
8.16.02.11.08

ESET NOD32
Win32/AutoRun.Agent.DR
10.12832

Fortinet FortiGate
W32/AutoRun.DRN!worm
2/11/2016

F-Prot
W32/Downldr2.ICUY
v6.4.7.1.166

F-Secure
Trojan.Generic.1032816
11.2016-11-02_5

G Data
Trojan.Generic.1032816
16.2.25

IKARUS anti.virus
Trojan-Dropper.Agent
t3scan.1.9.5.0

K7 AntiVirus
Trojan-Downloader
13.212.18353

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.676

McAfee
Generic.dx!8587B4848844
5600.6492

Microsoft Security Essentials
Trojan:Win32/Malagent!gmb
1.1.12400.0

MicroWorld eScan
Trojan.Generic.1032816
17.0.0.126

NANO AntiVirus
Trojan.Win32.Agent.dgkdg
1.0.14.5380

nProtect
Trojan-Downloader/W32.Agent.313856.C
16.01.07.01

Panda Antivirus
Trj/Genetic.gen
16.02.11.08

Qihoo 360 Security
Win32/Trojan.Downloader.fe9
1.0.0.1077

Quick Heal
TrojanDownloader.Agent.r3
2.16.14.00

Rising Antivirus
PE:Malware.Generic(Thunder)!1.A1C4 [F]
23.00.65.16209

Sophos
Mal/Behav-034
4.98

Trend Micro House Call
WORM_AGENT.SMY
7.2.42

Trend Micro
WORM_AGENT.SMY
10.465.11

Vba32 AntiVirus
BScope.Trojan.Agent
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
46326

ViRobot
Trojan.Win32.Downloader.313856.K[h]
2014.3.20.0

Zillya! Antivirus
Downloader.Agent.Win32.44573
2.0.0.2596

File size:
306.5 KB (313,856 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\system\csrss.exe

File PE Metadata
Compilation timestamp:
4/13/2008 6:57:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.0

CTPH (ssdeep):
6144:ti+/EwG4q4olt7/XNK8ppMItjE3h+9IrlGb7dNjhxn5RAE:ti+/EwG4dolV/Xw8ZIrgvdFhx5mE

Entry address:
0xD7E90

Entry point:
60, BE, 00, D0, 48, 00, 8D, BE, 00, 40, F7, FF, C7, 87, 98, 70, 0A, 00, 00, 10, 97, B4, 57, EB, 11, 90, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Code size:
304 KB (311,296 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
csrss

Command:
C:\windows\system\csrss.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.120:80)

TCP:
Connects to ip-91-197-13-28.gadu-gadu.pl  (91.197.13.28:8074)

Remove csrss.exe - Powered by Reason Core Security