csrss.exe

The executable csrss.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address loft11030.dedicatedpanel.com on port 9631.
MD5:
57c28769763f16ddacff1cea173aa8bc

SHA-1:
db5cb9bf28ca9b788ff3a5398c93ec0b03366862

SHA-256:
e1234552cabc81df0488a1b90b2a1505e1e24f6c5c0e4b61cd430d947ff5faa4

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 7:20:30 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Installer (M)
16.1.28.13

File size:
104.9 KB (107,439 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\csrss.exe

File PE Metadata
Compilation timestamp:
9/15/2014 4:39:24 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:VYK9NzlbBUmSXIiYDouG2Zm47t0SapMuec9K:iK9NzlGbY9jUy2ppe1

Entry address:
0x11866

Entry point:
55, 8B, EC, 6A, FF, 68, 18, 23, 41, 00, 68, 50, 1A, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 4C, 20, 41, 00, 59, 83, 0D, 54, 15, 5B, 00, FF, 83, 0D, 58, 15, 5B, 00, FF, FF, 15, 50, 20, 41, 00, 8B, 0D, 50, 15, 5B, 00, 89, 08, FF, 15, 54, 20, 41, 00, 8B, 0D, 4C, 15, 5B, 00, 89, 08, A1, 38, 20, 41, 00, 8B, 00, A3, 5C, 15, 5B, 00, E8, 28, 01, 00, 00, 39, 1D, 38, 35, 41, 00, 75, 0C, 68, FA, 19, 41, 00, FF, 15, 34, 20...
 
[+]

Entropy:
6.3490

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
68 KB (69,632 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\users\{user}\appdata\roaming\csrss.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to loft11030.dedicatedpanel.com  (188.138.57.44:9631)

TCP:
Connects to loft11332.dedicatedpanel.com  (85.25.237.52:9631)

TCP:
Connects to loft11225.dedicatedpanel.com  (188.138.102.45:9997)

TCP:
Connects to ns321304.ip-91-121-169.eu  (91.121.169.202:9631)

TCP:
Connects to loft12100.dedicatedpanel.com  (85.93.93.92:9997)

TCP:
Connects to loft11230.dedicatedpanel.com  (188.138.102.50:9631)

TCP:
Connects to kvm1.schlumbergerlimited.ch  (188.138.102.48:9631)

TCP:
Connects to HostedBy.Lusobits.com  (94.242.228.95:9027)

TCP:
Connects to a2.89.b6.static.xlhost.com  (207.182.137.162:9631)

Remove csrss.exe - Powered by Reason Core Security