popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

csrss.exe

Formbook Process Kill Suspicious_Script_Bin Generic Malware UPX CryptGenKey Malicious Library FindFirstVolume PE File Device_File_Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 11, 2025, 1:42 p.m. April 11, 2025, 1:44 p.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 67e4a0dc097ec49476cd4e56805e5e56
SHA256 d98ecf3bdfc1d007e6bee663d92396a3601ca42525940eff2112d67bf5eea721
CRC32 9ED538E2
ssdeep 24576:nu6J33O0c+JY5UZ+XC0kGso6FaMPYdtVicgcQwYWY:hu0c++OCvkGs9FaMPYLVic9Y
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • CryptGenKey_Zero - CryptGenKey Zero
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • IsPE32 - (no description)
  • Device_Check_Zero - Device Check Zero
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 168.76.121.210:80 -> 192.168.56.103:49168 2400025 ET DROP Spamhaus DROP Listed Traffic Inbound group 26 Misc Attack
TCP 194.195.208.62:443 -> 192.168.56.103:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49171 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.195.208.62:443 -> 192.168.56.103:49172 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 194.195.208.62:443 -> 192.168.56.103:49187 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49180 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49175 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.195.208.62:443 -> 192.168.56.103:49177 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49186 -> 194.195.208.62:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.195.208.62:443 -> 192.168.56.103:49178 2260001 SURICATA Applayer Wrong direction first Data Generic Protocol Command Decode
TCP 194.195.208.62:443 -> 192.168.56.103:49173 2260001 SURICATA Applayer Wrong direction first Data Generic Protocol Command Decode
TCP 194.195.208.62:443 -> 192.168.56.103:49183 2260001 SURICATA Applayer Wrong direction first Data Generic Protocol Command Decode
TCP 194.195.208.62:443 -> 192.168.56.103:49188 2260001 SURICATA Applayer Wrong direction first Data Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
request POST http://www.worrr37.yachts/1imc/
request GET http://www.worrr37.yachts/1imc/?xMeGPpI=GkZ+7lZN5ZbT6rZAkp7cmEqKOumTFqiR2eAXidPe90Y9rybDHdv8WEO3bqVeNbApXiU349333fnXtngssFNkiuaTeAutzCI3gCL6zAngbJ7QtBnn/nQUnSrlmVSOL2qjs5+ApuY=&kl7yj=dC4o4
request GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
request GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
request GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
request GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
request POST http://www.soportemx-findmy.click/ma0g/
request GET http://www.soportemx-findmy.click/ma0g/?xMeGPpI=H2S90RmziCMvLCuKzCWRDlD3y3BtNHnT+UjWuF5QkK5TSoHa4lhKfuVBBY/xZDIxlQkHSEeXC/2MO32woOoJhNRwlvINmE2f4iVb+1X59xwMoslpnGs7ObjFC0D//e/oO9N1DbU=&kl7yj=dC4o4
request POST http://www.vczuahand.xyz/lvz4/
request GET http://www.vczuahand.xyz/lvz4/?xMeGPpI=Xs1PCb/MaYPIPAxC7BfyCKw16Qgph55MCQOIGo7Nl8rFa4QZz+K5W1hPLI1607tRp9GgCJ7X+mzA4XqXnNSoEuvlRvhKlR8DhXdkfyq/HZqiPbu8fNkzPsjR0Pgy51mK7LA9YuI=&kl7yj=dC4o4
request POST http://www.855696a.xyz/q86a/
request GET http://www.855696a.xyz/q86a/?xMeGPpI=1RS/DLESjC/mKKX8IPepHWQ88RxDP1aCo7MGFq+OZJ2Pg2HsdXdlT2xsvmE392eXqb9P0SMm051Cq8Esu/QKUYNbRkYSrCwvHfCGfAn42Vd7BejAa9lxaTExsZlL8Og3FAv4dqc=&kl7yj=dC4o4
request POST http://www.headset2.online/pl23/
request GET http://www.headset2.online/pl23/?xMeGPpI=pwQm/8Nry++CWhwQEObW40wjaH0cvm6b9cWiDzs/wKG7gU2SU1fIKPFVOtmRZIK9fJNQxDIjM5M/HYIVgiqppyTz/0XbM+5YC9JKCqzZT3SFByiwC2iSKSo+zn41b6GRTqaovhk=&kl7yj=dC4o4
request POST http://www.futureedge.website/q4wg/
request GET http://www.futureedge.website/q4wg/?xMeGPpI=WxORhD4RgEO5uNW1zIvuiuM1wajJmVXJQFKGj9LBFcZ0l1e50YnvAr5T8EMlczPx1w+PQtVZROcXWrB4KjCnqEQodoFuB1y/PM5JW3yzs/PmL9usaRgWCdLb7/N0LcsSR6JchHM=&kl7yj=dC4o4
request POST http://www.meshki-co-uk.shop/b8n0/
request GET http://www.meshki-co-uk.shop/b8n0/?xMeGPpI=kyUzpDR/GXT4UV/+oaqkBHt9bALONeN1bnrOTHFLjUDm6VF6u4qvS3uMxxy331Wg+HkFQKVB7+znMoBnkIjZtMdr1+qAAoS2YWCZ61uYKrqWWVNAfLrW3BVA1sijRC7j/YuRgN0=&kl7yj=dC4o4
request POST http://www.worrr37.yachts/1imc/
request POST http://www.soportemx-findmy.click/ma0g/
request POST http://www.vczuahand.xyz/lvz4/
request POST http://www.855696a.xyz/q86a/
request POST http://www.headset2.online/pl23/
request POST http://www.futureedge.website/q4wg/
request POST http://www.meshki-co-uk.shop/b8n0/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2156
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00960000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2524
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02260000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
section {u'size_of_data': u'0x00055200', u'virtual_address': u'0x000c7000', u'entropy': 7.882929345827478, u'name': u'.rsrc', u'virtual_size': u'0x000550fc'} entropy 7.88292934583 description A section with a high entropy has been found
entropy 0.298291721419 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x00000138
process_identifier: 2156
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\csrss.exe"
filepath_r: C:\Windows\System32\svchost.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000130
1 1 0
Process injection Process 1020 called NtSetContextThread to modify thread in remote process 2156
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3012656
registers.edi: 0
registers.eax: 4199712
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000138
process_identifier: 2156
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.AutoIt.l!c
Cynet Malicious (score: 99)
CAT-QuickHeal cld.trojanspy.noon
Skyhigh BehavesLike.Win32.Formbook.tc
ALYac Trojan.GenericKD.76203073
Cylance Unsafe
Sangfor Virus.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.76203073
K7GW Trojan ( 005c554a1 )
K7AntiVirus Trojan ( 005c554a1 )
Arcabit Trojan.Generic.D48AC441
VirIT Trojan.Win32.AutoIt_Heur.L
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.Autoit.GZD
APEX Malicious
Avast Win32:Malware-gen
Kaspersky Trojan-Spy.Win32.Noon.bkxf
Alibaba Trojan:Win32/Strab.5002d23f
MicroWorld-eScan Trojan.GenericKD.76203073
Emsisoft Trojan.GenericKD.76203073 (B)
F-Secure Trojan.TR/AD.Swotter.xryzp
McAfeeD ti!D98ECF3BDFC1
CTX exe.trojan.autoit
Sophos Mal/Generic-S
Google Detected
Avira TR/AD.Swotter.xryzp
Kingsoft malware.kb.a.779
Microsoft Trojan:Win32/Strab!rfn
GData Win32.Trojan.Agent.P8NDAE
Varist W32/AutoIt.OL.gen!Eldorado
AhnLab-V3 Trojan/AU3.Loader.S3020
McAfee Artemis!67E4A0DC097E
Malwarebytes Backdoor.NetWiredRC.AutoIt.Generic
Ikarus Trojan.Autoit
Zoner Trojan.Win32.179540
TrendMicro-HouseCall TROJ_GEN.R002H01D925
MaxSecure Trojan.Malware.300983.susgen
Fortinet AutoIt/Agent.GYU!tr
AVG Win32:Malware-gen