home

CSRSS.exe

Процесс исполнения клиент-сервер

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application CSRSS.exe, “Процесс исполнения клиент-сервер” has been detected as a potentially unwanted program by 22 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power.
Publisher:
Microsoft Corporation*  (Invalid match)

Product:
Microsoft® Windows® Operating System

Description:
Процесс исполнения клиент-сервер

Version:
6.1.7600.16385

MD5:
3eb05cb9aade2c8948603fc422d2dd6e

SHA-1:
555ac8152dee0d8f8200d8fa60914af31578d65d

SHA-256:
f8f91cafecb8d9ec3878fb2401886d3161ea83fa6c7491944a6a8ec6d1ef8c96

Scanner detections:
22 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/16/2024 12:21:34 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.BitCoinMiner
7.1.1

avast!
Win64:Rootkit-gen [Rtk]
2014.9-150911

AVG
BitCoinMiner.D
2016.0.2989

Baidu Antivirus
Hacktool.Win64.BitCoinMiner
4.0.3.15911

Bitdefender
Trojan.Generic.11649192
1.0.20.1550

Clam AntiVirus
Win.Trojan.Bitcoinminer-81
0.98/21511

Dr.Web
Trojan.Coinbit.43
9.0.1.0254

ESET NOD32
Win64/BitCoinMiner.U potentially unsafe (variant)
9.12232

Fortinet FortiGate
Riskware/BitCoinMiner
9/11/2015

G Data
Win64.Riskware.BitCoinMiner
15.9.25

herdProtect (fuzzy)
variant of 806779989c6ea355a1abf4f6c7cb646c.exe
2015.11.6.4

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.183.13451

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.1442

Malwarebytes
Riskware.BitcoinMiner
v2015.11.06.04

McAfee
RDN/Generic PUP.x!cmq
5600.6645

MicroWorld eScan
Trojan.Generic.11649192
16.0.0.930

nProtect
Trojan.Generic.11649192
14.09.22.01

Panda Antivirus
Generic Suspicious
15.09.11.03

Sophos
Internet Download Manager - Miner (PUA)
4.98

Trend Micro House Call
TROJ_GEN.R047C0OHO14
7.2.310

Zillya! Antivirus
Tool.BitCoinMiner.Win64.3
2.0.0.2393

File size:
504 KB (516,096 bytes)

Product version:
6.1.7600.16385

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
CSRSS.Exe

File type:
Executable application (Win64 EXE)

Common path:
C:\windows\csrss.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
12288:dVOEGAlH4s/FFRf725x8zHWt2/BSvHLWq1blj/UY0nTRCgu:dVfHX/FFRzJjc2/4vrWq1RAYyTI

Entry address:
0x1500

Entry point:
48, 83, EC, 28, 48, 8B, 05, 15, 3A, 07, 00, C7, 00, 00, 00, 00, 00, E8, 6A, 95, 05, 00, E8, 95, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 83, EC, 38, 4C, 89, 4C, 24, 58, 4C, 8D, 4C, 24, 58, 4C, 89, 4C, 24, 28, E8, D8, 9E, 05, 00, 48, 83, C4, 38, C3, 0F, 1F, 00, 56, 53, 48, 83, EC, 28, 48, 85, C9, 74, 75, 83, 39, 01, 48, 89, CB, 74, 3D, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 89, D9, 48, C7, 03, 00, 00, 00, 00, 48, C7, 43, 08, 00, 00...
 
[+]

Code size:
388 KB (397,312 bytes)

The file CSRSS.exe has been seen being distributed by the following 5 URLs.

http://callfor.info/csrss.exe

http://lp2.bongacams24.com/csrss.exe

http://gooqler.com/csrss.exe

http://lp1.bongacams24.com/csrss.exe

http://goodbe.co/csrss.exe

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to static.178.147.9.176.clients.your-server.de  (176.9.147.178:45590)

TCP:
Connects to 195-154-181-121.rev.poneytelecom.eu  (195.154.181.121:45590)

TCP:
Connects to static.243.47.9.176.clients.your-server.de  (176.9.47.243:45590)

TCP:
Connects to static.145.2.9.176.clients.your-server.de  (176.9.2.145:45560)

Remove CSRSS.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.