popup

Report - csrss.exe

Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Google Chrome User Data Downloader Malicious Packer Malicious Library Antivirus UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDe
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.19 10:03 Machine s1_win7_x6403
Filename csrss.exe
Type PE32+ executable (console) x86-64, for MS Windows
AI Score
2
 Behavior Score
6.0
ZERO API file : mailcious
VT API (file) 40 detected (Remcos, malicious, moderate confidence, Lazy, Kryptik, V18p, Genus, Attribute, HighConfidence, FileRepMalware, Convagent, CLOUD, DownLoader47, YXEFRZ, Outbreak, Detected, ai score=86, ABRisk, KMWE, Chgt, Agensla, EetC8ic, MxResIcn, GenKryptik, MAGC)
md5 08475c0ab2386f3353d1c2f254a839c3
sha256 d613abfde1e416e467b1b936060835b5dff7d3617cfd54dba245f36a214ddd6a
ssdeep 49152:YgpOmgDQ06m3N051GXdJCXw5Y9ehIwM1A8ofwosSN7Wn:CDDe4Rh0HiK
imphash 340d65ede751260b3cc3042ec139606a
impfuzzy 96:odKW7Xi3xu9u9x5JcxbeQUhVdja9v8Rb4XT9X1oYax8XetkyqdLwqydC:oAISxB9CvMb4j9FoxuueUqydC
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (30cnts)

Level Name Description Collection
danger Client_SW_User_Data_Stealer Client_SW_User_Data_Stealer memory
danger Win_Backdoor_RemcosRAT Win Backdoor RemcosRAT memory
warning infoStealer_browser_Zero browser info stealer memory
watch Antivirus Contains references to security software binaries (upload)
watch Chrome_User_Data_Check_Zero Google Chrome User Data Check memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (upload)
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://geoplugin.net/json.gp
whois
NL Schuberg Philis B.V. 178.237.33.50 clean
geoplugin.net
whois
NL Schuberg Philis B.V. 178.237.33.50 clean
bossnacarpet.com
whois
US AS-COLOCROSSING 107.173.4.18 clean
178.237.33.50
whois
NL Schuberg Philis B.V. 178.237.33.50 clean
107.173.4.18
whois
US AS-COLOCROSSING 107.173.4.18 malware

Suricata ids

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x140203000 RegCreateKeyExW
 0x140203008 RegDeleteKeyExW
 0x140203010 RegDeleteTreeW
 0x140203018 RegDeleteValueW
 0x140203020 RegEnumKeyExW
 0x140203028 RegEnumValueW
 0x140203030 RegFlushKey
 0x140203038 RegOpenKeyExW
 0x140203040 RegQueryInfoKeyW
 0x140203048 RegQueryValueExW
 0x140203050 RegSetValueExW
 0x140203058 RegCloseKey
 0x140203060 LookupPrivilegeValueW
 0x140203068 RevertToSelf
 0x140203070 OpenThreadToken
 0x140203078 OpenProcessToken
 0x140203080 SetThreadToken
 0x140203088 AdjustTokenPrivileges
 0x140203090 DuplicateTokenEx
 0x140203098 GetSecurityDescriptorLength
 0x1402030a0 CreateWellKnownSid
 0x1402030a8 GetWindowsAccountDomainSid
 0x1402030b0 RegSetValueExA
 0x1402030b8 GetTokenInformation
crypt.dll
 0x140203780 BCryptGenRandom
 0x140203788 BCryptSetProperty
 0x140203790 BCryptDestroyKey
 0x140203798 BCryptEncrypt
 0x1402037a0 BCryptDecrypt
 0x1402037a8 BCryptOpenAlgorithmProvider
 0x1402037b0 BCryptImportKey
 0x1402037b8 BCryptCloseAlgorithmProvider
KERNEL32.dll
 0x1402030c8 TlsFree
 0x1402030d0 TlsSetValue
 0x1402030d8 TlsGetValue
 0x1402030e0 TlsAlloc
 0x1402030e8 InitializeCriticalSectionAndSpinCount
 0x1402030f0 EncodePointer
 0x1402030f8 RaiseException
 0x140203100 RtlPcToFileHeader
 0x140203108 SetLastError
 0x140203110 FormatMessageW
 0x140203118 GetLastError
 0x140203120 GetConsoleMode
 0x140203128 GetFileType
 0x140203130 WriteFile
 0x140203138 WriteConsoleW
 0x140203140 GetConsoleOutputCP
 0x140203148 GetStdHandle
 0x140203150 MultiByteToWideChar
 0x140203158 WideCharToMultiByte
 0x140203160 CloseThreadpoolIo
 0x140203168 RaiseFailFastException
 0x140203170 TzSpecificLocalTimeToSystemTime
 0x140203178 SystemTimeToFileTime
 0x140203180 FileTimeToSystemTime
 0x140203188 GetSystemTime
 0x140203190 GetCalendarInfoEx
 0x140203198 CompareStringOrdinal
 0x1402031a0 CompareStringEx
 0x1402031a8 FindNLSStringEx
 0x1402031b0 GetLocaleInfoEx
 0x1402031b8 ResolveLocaleName
 0x1402031c0 GetUserPreferredUILanguages
 0x1402031c8 FindStringOrdinal
 0x1402031d0 GetTickCount64
 0x1402031d8 GetCurrentProcess
 0x1402031e0 GetCurrentThread
 0x1402031e8 Sleep
 0x1402031f0 DeleteCriticalSection
 0x1402031f8 LocalFree
 0x140203200 EnterCriticalSection
 0x140203208 SleepConditionVariableCS
 0x140203210 LeaveCriticalSection
 0x140203218 WakeConditionVariable
 0x140203220 QueryPerformanceCounter
 0x140203228 InitializeCriticalSection
 0x140203230 InitializeConditionVariable
 0x140203238 WaitForMultipleObjectsEx
 0x140203240 QueryPerformanceFrequency
 0x140203248 GetFullPathNameW
 0x140203250 GetLongPathNameW
 0x140203258 GetCPInfo
 0x140203260 LocalAlloc
 0x140203268 GetProcAddress
 0x140203270 LocaleNameToLCID
 0x140203278 LCMapStringEx
 0x140203280 EnumTimeFormatsEx
 0x140203288 EnumCalendarInfoExEx
 0x140203290 CopyFileExW
 0x140203298 CreateDirectoryW
 0x1402032a0 CreateFileW
 0x1402032a8 CreateThreadpoolIo
 0x1402032b0 StartThreadpoolIo
 0x1402032b8 CancelThreadpoolIo
 0x1402032c0 DeleteFileW
 0x1402032c8 DeleteVolumeMountPointW
 0x1402032d0 CreateSymbolicLinkW
 0x1402032d8 DeviceIoControl
 0x1402032e0 ExpandEnvironmentStringsW
 0x1402032e8 FindNextFileW
 0x1402032f0 FindClose
 0x1402032f8 FindFirstFileExW
 0x140203300 FreeLibrary
 0x140203308 GetFileAttributesExW
 0x140203310 GetFileInformationByHandle
 0x140203318 GetFileInformationByHandleEx
 0x140203320 GetFinalPathNameByHandleW
 0x140203328 GetLogicalDrives
 0x140203330 GetModuleFileNameW
 0x140203338 GetOverlappedResult
 0x140203340 GetSystemDirectoryW
 0x140203348 GetVolumeInformationW
 0x140203350 LoadLibraryExW
 0x140203358 MoveFileExW
 0x140203360 ReadFile
 0x140203368 RemoveDirectoryW
 0x140203370 ReplaceFileW
 0x140203378 SetFileAttributesW
 0x140203380 SetFileInformationByHandle
 0x140203388 SetThreadErrorMode
 0x140203390 DuplicateHandle
 0x140203398 GetThreadPriority
 0x1402033a0 SetThreadPriority
 0x1402033a8 GetDynamicTimeZoneInformation
 0x1402033b0 GetTimeZoneInformation
 0x1402033b8 GetCurrentProcessorNumberEx
 0x1402033c0 CloseHandle
 0x1402033c8 SetEvent
 0x1402033d0 ResetEvent
 0x1402033d8 CreateEventExW
 0x1402033e0 GetEnvironmentVariableW
 0x1402033e8 CreateProcessA
 0x1402033f0 GetConsoleWindow
 0x1402033f8 LoadLibraryA
 0x140203400 FreeConsole
 0x140203408 AllocConsole
 0x140203410 ResumeThread
 0x140203418 ExitProcess
 0x140203420 GetCurrentProcessId
 0x140203428 FlushProcessWriteBuffers
 0x140203430 WaitForSingleObjectEx
 0x140203438 RtlVirtualUnwind
 0x140203440 RtlCaptureContext
 0x140203448 RtlRestoreContext
 0x140203450 AddVectoredExceptionHandler
 0x140203458 FlsAlloc
 0x140203460 FlsGetValue
 0x140203468 FlsSetValue
 0x140203470 CreateEventW
 0x140203478 TerminateProcess
 0x140203480 SwitchToThread
 0x140203488 CreateThread
 0x140203490 GetCurrentThreadId
 0x140203498 SuspendThread
 0x1402034a0 GetThreadContext
 0x1402034a8 SetThreadContext
 0x1402034b0 FlushInstructionCache
 0x1402034b8 VirtualAlloc
 0x1402034c0 VirtualProtect
 0x1402034c8 VirtualFree
 0x1402034d0 QueryInformationJobObject
 0x1402034d8 GetModuleHandleW
 0x1402034e0 GetModuleHandleExW
 0x1402034e8 GetProcessAffinityMask
 0x1402034f0 InitializeContext
 0x1402034f8 GetEnabledXStateFeatures
 0x140203500 SetXStateFeaturesMask
 0x140203508 VirtualQuery
 0x140203510 InitializeCriticalSectionEx
 0x140203518 GetSystemTimeAsFileTime
 0x140203520 DebugBreak
 0x140203528 WaitForSingleObject
 0x140203530 SleepEx
 0x140203538 GlobalMemoryStatusEx
 0x140203540 GetSystemInfo
 0x140203548 GetLogicalProcessorInformation
 0x140203550 GetLogicalProcessorInformationEx
 0x140203558 GetLargePageMinimum
 0x140203560 VirtualUnlock
 0x140203568 VirtualAllocExNuma
 0x140203570 IsProcessInJob
 0x140203578 GetNumaHighestNodeNumber
 0x140203580 GetProcessGroupAffinity
 0x140203588 K32GetProcessMemoryInfo
 0x140203590 RtlUnwindEx
 0x140203598 IsProcessorFeaturePresent
 0x1402035a0 SetUnhandledExceptionFilter
 0x1402035a8 UnhandledExceptionFilter
 0x1402035b0 IsDebuggerPresent
 0x1402035b8 RtlLookupFunctionEntry
 0x1402035c0 InitializeSListHead
ole32.dll
 0x1402037c8 CoTaskMemFree
 0x1402037d0 CoCreateGuid
 0x1402037d8 CoGetApartmentType
 0x1402037e0 CoTaskMemAlloc
 0x1402037e8 CoUninitialize
 0x1402037f0 CoInitializeEx
 0x1402037f8 CoWaitForMultipleHandles
USER32.dll
 0x1402035d0 LoadStringW
api-ms-win-crt-math-l1-1-0.dll
 0x140203630 modf
 0x140203638 tan
 0x140203640 sin
 0x140203648 pow
 0x140203650 __setusermatherr
 0x140203658 ceil
 0x140203660 floor
 0x140203668 cos
api-ms-win-crt-heap-l1-1-0.dll
 0x1402035f0 calloc
 0x1402035f8 malloc
 0x140203600 free
 0x140203608 _callnewh
 0x140203610 _set_new_mode
api-ms-win-crt-string-l1-1-0.dll
 0x140203750 _stricmp
 0x140203758 strcpy_s
 0x140203760 strcmp
 0x140203768 wcsncmp
 0x140203770 strncpy_s
api-ms-win-crt-convert-l1-1-0.dll
 0x1402035e0 strtoull
api-ms-win-crt-runtime-l1-1-0.dll
 0x140203678 terminate
 0x140203680 _crt_atexit
 0x140203688 _register_onexit_function
 0x140203690 _initialize_onexit_table
 0x140203698 abort
 0x1402036a0 _register_thread_local_exe_atexit_callback
 0x1402036a8 _c_exit
 0x1402036b0 _cexit
 0x1402036b8 __p___wargv
 0x1402036c0 __p___argc
 0x1402036c8 _exit
 0x1402036d0 exit
 0x1402036d8 _initterm_e
 0x1402036e0 _initterm
 0x1402036e8 _get_initial_wide_environment
 0x1402036f0 _initialize_wide_environment
 0x1402036f8 _configure_wide_argv
 0x140203700 _seh_filter_exe
 0x140203708 _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll
 0x140203718 __stdio_common_vfprintf
 0x140203720 __p__commode
 0x140203728 __acrt_iob_func
 0x140203730 __stdio_common_vsscanf
 0x140203738 __stdio_common_vsprintf_s
 0x140203740 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
 0x140203620 _configthreadlocale

EAT(Export Address Table) Library


Similarity measure (PE file only) - Checking for service failure