ScreenShot
| Created | 2024.07.26 18:42 | Machine | s1_win7_x6403 |
| Filename | csrss.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 19 detected (AIDetectMalware, malicious, high confidence, Attribute, HighConfidence, GenKryptik, GZZF, MalwareX, CLASSIC, Detected, Sabsik, susgen, MAGC) | ||
| md5 | 4fb3e6e7b8f9c12cd2d5e161f7b94760 | ||
| sha256 | f76f9b85df2ba8850bec058164d2c752c8fd8ef0f1bcffd793e5f453d8a839bb | ||
| ssdeep | 49152:Og7eO7kjTav5AwVZGsY3uS+s1vm1lvt+vU0JSziMwqM:j7lmmUM7wq | ||
| imphash | fa79c8f1c618648f2275daa90f4c6120 | ||
| impfuzzy | 96:C6KC7Xg9NS9u7JcxL/eQUKU5ja9VmHTXrR9X1sqPIXeQkyqdLznkyB:CF0Q9NtkVST7R9FsoIuD/nkyB | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (30cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
| danger | Win_Backdoor_RemcosRAT | Win Backdoor RemcosRAT | memory |
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Chrome_User_Data_Check_Zero | Google Chrome User Data Check | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (5cnts) ?
Suricata ids
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x14019b000 RegCloseKey
0x14019b008 RegEnumValueW
0x14019b010 RegOpenKeyExW
0x14019b018 RegQueryValueExW
0x14019b020 RegCreateKeyExW
0x14019b028 RegDeleteKeyExW
0x14019b030 RegDeleteValueW
0x14019b038 RegEnumKeyExW
0x14019b040 RegFlushKey
0x14019b048 RegQueryInfoKeyW
0x14019b050 RegSetValueExW
0x14019b058 CreateWellKnownSid
0x14019b060 GetWindowsAccountDomainSid
0x14019b068 LookupPrivilegeValueW
0x14019b070 RevertToSelf
0x14019b078 OpenThreadToken
0x14019b080 OpenProcessToken
0x14019b088 SetThreadToken
0x14019b090 AdjustTokenPrivileges
0x14019b098 DuplicateTokenEx
0x14019b0a0 GetSecurityDescriptorLength
0x14019b0a8 EventWrite
0x14019b0b0 EventRegister
0x14019b0b8 EventEnabled
crypt.dll
0x14019b6a8 BCryptGenRandom
0x14019b6b0 BCryptEncrypt
0x14019b6b8 BCryptDecrypt
0x14019b6c0 BCryptImportKey
0x14019b6c8 BCryptOpenAlgorithmProvider
0x14019b6d0 BCryptCloseAlgorithmProvider
0x14019b6d8 BCryptDestroyKey
0x14019b6e0 BCryptSetProperty
KERNEL32.dll
0x14019b0c8 TlsFree
0x14019b0d0 TlsSetValue
0x14019b0d8 TlsGetValue
0x14019b0e0 TlsAlloc
0x14019b0e8 InitializeCriticalSectionAndSpinCount
0x14019b0f0 EncodePointer
0x14019b0f8 RaiseException
0x14019b100 RtlPcToFileHeader
0x14019b108 CloseThreadpoolIo
0x14019b110 GetStdHandle
0x14019b118 FileTimeToSystemTime
0x14019b120 SystemTimeToFileTime
0x14019b128 GetSystemTime
0x14019b130 GetCalendarInfoEx
0x14019b138 CompareStringOrdinal
0x14019b140 CompareStringEx
0x14019b148 FindNLSStringEx
0x14019b150 GetLocaleInfoEx
0x14019b158 ResolveLocaleName
0x14019b160 FindStringOrdinal
0x14019b168 GetTickCount64
0x14019b170 GetCurrentProcess
0x14019b178 GetCurrentThread
0x14019b180 Sleep
0x14019b188 InitializeCriticalSection
0x14019b190 InitializeConditionVariable
0x14019b198 DeleteCriticalSection
0x14019b1a0 LocalFree
0x14019b1a8 EnterCriticalSection
0x14019b1b0 SleepConditionVariableCS
0x14019b1b8 LeaveCriticalSection
0x14019b1c0 WakeConditionVariable
0x14019b1c8 QueryPerformanceCounter
0x14019b1d0 WaitForMultipleObjectsEx
0x14019b1d8 GetLastError
0x14019b1e0 QueryPerformanceFrequency
0x14019b1e8 SetLastError
0x14019b1f0 GetFullPathNameW
0x14019b1f8 GetLongPathNameW
0x14019b200 MultiByteToWideChar
0x14019b208 WideCharToMultiByte
0x14019b210 LocalAlloc
0x14019b218 GetConsoleOutputCP
0x14019b220 GetProcAddress
0x14019b228 RaiseFailFastException
0x14019b230 CreateThreadpoolIo
0x14019b238 StartThreadpoolIo
0x14019b240 CancelThreadpoolIo
0x14019b248 LocaleNameToLCID
0x14019b250 LCMapStringEx
0x14019b258 EnumTimeFormatsEx
0x14019b260 EnumCalendarInfoExEx
0x14019b268 CopyFileExW
0x14019b270 CreateFileW
0x14019b278 DeleteFileW
0x14019b280 DeviceIoControl
0x14019b288 ExpandEnvironmentStringsW
0x14019b290 FindClose
0x14019b298 FindFirstFileExW
0x14019b2a0 FlushFileBuffers
0x14019b2a8 FreeLibrary
0x14019b2b0 GetFileAttributesExW
0x14019b2b8 GetFileInformationByHandleEx
0x14019b2c0 GetFileType
0x14019b2c8 GetModuleFileNameW
0x14019b2d0 GetOverlappedResult
0x14019b2d8 LoadLibraryExW
0x14019b2e0 ReadFile
0x14019b2e8 SetFileInformationByHandle
0x14019b2f0 SetThreadErrorMode
0x14019b2f8 WriteFile
0x14019b300 GetCurrentProcessorNumberEx
0x14019b308 CloseHandle
0x14019b310 SetEvent
0x14019b318 ResetEvent
0x14019b320 CreateEventExW
0x14019b328 GetEnvironmentVariableW
0x14019b330 FormatMessageW
0x14019b338 DuplicateHandle
0x14019b340 GetThreadPriority
0x14019b348 SetThreadPriority
0x14019b350 CreateProcessA
0x14019b358 GetConsoleWindow
0x14019b360 GetModuleHandleA
0x14019b368 FreeConsole
0x14019b370 AllocConsole
0x14019b378 CreateProcessW
0x14019b380 GetThreadContext
0x14019b388 ExitProcess
0x14019b390 FlushProcessWriteBuffers
0x14019b398 GetCurrentThreadId
0x14019b3a0 WaitForSingleObjectEx
0x14019b3a8 VirtualQuery
0x14019b3b0 RtlRestoreContext
0x14019b3b8 AddVectoredExceptionHandler
0x14019b3c0 FlsAlloc
0x14019b3c8 FlsGetValue
0x14019b3d0 FlsSetValue
0x14019b3d8 CreateEventW
0x14019b3e0 TerminateProcess
0x14019b3e8 SwitchToThread
0x14019b3f0 CreateThread
0x14019b3f8 SuspendThread
0x14019b400 ResumeThread
0x14019b408 SetThreadContext
0x14019b410 FlushInstructionCache
0x14019b418 VirtualAlloc
0x14019b420 VirtualProtect
0x14019b428 VirtualFree
0x14019b430 QueryInformationJobObject
0x14019b438 GetModuleHandleW
0x14019b440 GetModuleHandleExW
0x14019b448 GetProcessAffinityMask
0x14019b450 InitializeContext
0x14019b458 GetEnabledXStateFeatures
0x14019b460 SetXStateFeaturesMask
0x14019b468 InitializeCriticalSectionEx
0x14019b470 GetSystemTimeAsFileTime
0x14019b478 DebugBreak
0x14019b480 WaitForSingleObject
0x14019b488 SleepEx
0x14019b490 GlobalMemoryStatusEx
0x14019b498 GetSystemInfo
0x14019b4a0 GetLogicalProcessorInformation
0x14019b4a8 GetLogicalProcessorInformationEx
0x14019b4b0 GetLargePageMinimum
0x14019b4b8 VirtualUnlock
0x14019b4c0 VirtualAllocExNuma
0x14019b4c8 IsProcessInJob
0x14019b4d0 GetNumaHighestNodeNumber
0x14019b4d8 GetProcessGroupAffinity
0x14019b4e0 K32GetProcessMemoryInfo
0x14019b4e8 RtlUnwindEx
0x14019b4f0 IsProcessorFeaturePresent
0x14019b4f8 SetUnhandledExceptionFilter
0x14019b500 UnhandledExceptionFilter
0x14019b508 IsDebuggerPresent
0x14019b510 RtlVirtualUnwind
0x14019b518 RtlLookupFunctionEntry
0x14019b520 RtlCaptureContext
0x14019b528 InitializeSListHead
0x14019b530 GetCurrentProcessId
ole32.dll
0x14019b6f0 CoUninitialize
0x14019b6f8 CoTaskMemAlloc
0x14019b700 CoGetApartmentType
0x14019b708 CoCreateGuid
0x14019b710 CoTaskMemFree
0x14019b718 CoWaitForMultipleHandles
0x14019b720 CoInitializeEx
api-ms-win-crt-math-l1-1-0.dll
0x14019b580 __setusermatherr
0x14019b588 ceil
api-ms-win-crt-heap-l1-1-0.dll
0x14019b540 calloc
0x14019b548 free
0x14019b550 _callnewh
0x14019b558 _set_new_mode
0x14019b560 malloc
api-ms-win-crt-string-l1-1-0.dll
0x14019b670 wcsncmp
0x14019b678 strncpy_s
0x14019b680 _stricmp
0x14019b688 strcpy_s
0x14019b690 strcmp
0x14019b698 _wcsicmp
api-ms-win-crt-runtime-l1-1-0.dll
0x14019b598 _c_exit
0x14019b5a0 _register_thread_local_exe_atexit_callback
0x14019b5a8 _get_initial_wide_environment
0x14019b5b0 _cexit
0x14019b5b8 __p___wargv
0x14019b5c0 __p___argc
0x14019b5c8 _exit
0x14019b5d0 exit
0x14019b5d8 _initterm_e
0x14019b5e0 _initterm
0x14019b5e8 terminate
0x14019b5f0 _crt_atexit
0x14019b5f8 _initialize_wide_environment
0x14019b600 _register_onexit_function
0x14019b608 _initialize_onexit_table
0x14019b610 _configure_wide_argv
0x14019b618 _set_app_type
0x14019b620 _seh_filter_exe
0x14019b628 abort
api-ms-win-crt-stdio-l1-1-0.dll
0x14019b638 __stdio_common_vsprintf_s
0x14019b640 __stdio_common_vsscanf
0x14019b648 __stdio_common_vfprintf
0x14019b650 __acrt_iob_func
0x14019b658 _set_fmode
0x14019b660 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
0x14019b570 _configthreadlocale
EAT(Export Address Table) Library
0x140261360 DotNetRuntimeDebugHeader
ADVAPI32.dll
0x14019b000 RegCloseKey
0x14019b008 RegEnumValueW
0x14019b010 RegOpenKeyExW
0x14019b018 RegQueryValueExW
0x14019b020 RegCreateKeyExW
0x14019b028 RegDeleteKeyExW
0x14019b030 RegDeleteValueW
0x14019b038 RegEnumKeyExW
0x14019b040 RegFlushKey
0x14019b048 RegQueryInfoKeyW
0x14019b050 RegSetValueExW
0x14019b058 CreateWellKnownSid
0x14019b060 GetWindowsAccountDomainSid
0x14019b068 LookupPrivilegeValueW
0x14019b070 RevertToSelf
0x14019b078 OpenThreadToken
0x14019b080 OpenProcessToken
0x14019b088 SetThreadToken
0x14019b090 AdjustTokenPrivileges
0x14019b098 DuplicateTokenEx
0x14019b0a0 GetSecurityDescriptorLength
0x14019b0a8 EventWrite
0x14019b0b0 EventRegister
0x14019b0b8 EventEnabled
crypt.dll
0x14019b6a8 BCryptGenRandom
0x14019b6b0 BCryptEncrypt
0x14019b6b8 BCryptDecrypt
0x14019b6c0 BCryptImportKey
0x14019b6c8 BCryptOpenAlgorithmProvider
0x14019b6d0 BCryptCloseAlgorithmProvider
0x14019b6d8 BCryptDestroyKey
0x14019b6e0 BCryptSetProperty
KERNEL32.dll
0x14019b0c8 TlsFree
0x14019b0d0 TlsSetValue
0x14019b0d8 TlsGetValue
0x14019b0e0 TlsAlloc
0x14019b0e8 InitializeCriticalSectionAndSpinCount
0x14019b0f0 EncodePointer
0x14019b0f8 RaiseException
0x14019b100 RtlPcToFileHeader
0x14019b108 CloseThreadpoolIo
0x14019b110 GetStdHandle
0x14019b118 FileTimeToSystemTime
0x14019b120 SystemTimeToFileTime
0x14019b128 GetSystemTime
0x14019b130 GetCalendarInfoEx
0x14019b138 CompareStringOrdinal
0x14019b140 CompareStringEx
0x14019b148 FindNLSStringEx
0x14019b150 GetLocaleInfoEx
0x14019b158 ResolveLocaleName
0x14019b160 FindStringOrdinal
0x14019b168 GetTickCount64
0x14019b170 GetCurrentProcess
0x14019b178 GetCurrentThread
0x14019b180 Sleep
0x14019b188 InitializeCriticalSection
0x14019b190 InitializeConditionVariable
0x14019b198 DeleteCriticalSection
0x14019b1a0 LocalFree
0x14019b1a8 EnterCriticalSection
0x14019b1b0 SleepConditionVariableCS
0x14019b1b8 LeaveCriticalSection
0x14019b1c0 WakeConditionVariable
0x14019b1c8 QueryPerformanceCounter
0x14019b1d0 WaitForMultipleObjectsEx
0x14019b1d8 GetLastError
0x14019b1e0 QueryPerformanceFrequency
0x14019b1e8 SetLastError
0x14019b1f0 GetFullPathNameW
0x14019b1f8 GetLongPathNameW
0x14019b200 MultiByteToWideChar
0x14019b208 WideCharToMultiByte
0x14019b210 LocalAlloc
0x14019b218 GetConsoleOutputCP
0x14019b220 GetProcAddress
0x14019b228 RaiseFailFastException
0x14019b230 CreateThreadpoolIo
0x14019b238 StartThreadpoolIo
0x14019b240 CancelThreadpoolIo
0x14019b248 LocaleNameToLCID
0x14019b250 LCMapStringEx
0x14019b258 EnumTimeFormatsEx
0x14019b260 EnumCalendarInfoExEx
0x14019b268 CopyFileExW
0x14019b270 CreateFileW
0x14019b278 DeleteFileW
0x14019b280 DeviceIoControl
0x14019b288 ExpandEnvironmentStringsW
0x14019b290 FindClose
0x14019b298 FindFirstFileExW
0x14019b2a0 FlushFileBuffers
0x14019b2a8 FreeLibrary
0x14019b2b0 GetFileAttributesExW
0x14019b2b8 GetFileInformationByHandleEx
0x14019b2c0 GetFileType
0x14019b2c8 GetModuleFileNameW
0x14019b2d0 GetOverlappedResult
0x14019b2d8 LoadLibraryExW
0x14019b2e0 ReadFile
0x14019b2e8 SetFileInformationByHandle
0x14019b2f0 SetThreadErrorMode
0x14019b2f8 WriteFile
0x14019b300 GetCurrentProcessorNumberEx
0x14019b308 CloseHandle
0x14019b310 SetEvent
0x14019b318 ResetEvent
0x14019b320 CreateEventExW
0x14019b328 GetEnvironmentVariableW
0x14019b330 FormatMessageW
0x14019b338 DuplicateHandle
0x14019b340 GetThreadPriority
0x14019b348 SetThreadPriority
0x14019b350 CreateProcessA
0x14019b358 GetConsoleWindow
0x14019b360 GetModuleHandleA
0x14019b368 FreeConsole
0x14019b370 AllocConsole
0x14019b378 CreateProcessW
0x14019b380 GetThreadContext
0x14019b388 ExitProcess
0x14019b390 FlushProcessWriteBuffers
0x14019b398 GetCurrentThreadId
0x14019b3a0 WaitForSingleObjectEx
0x14019b3a8 VirtualQuery
0x14019b3b0 RtlRestoreContext
0x14019b3b8 AddVectoredExceptionHandler
0x14019b3c0 FlsAlloc
0x14019b3c8 FlsGetValue
0x14019b3d0 FlsSetValue
0x14019b3d8 CreateEventW
0x14019b3e0 TerminateProcess
0x14019b3e8 SwitchToThread
0x14019b3f0 CreateThread
0x14019b3f8 SuspendThread
0x14019b400 ResumeThread
0x14019b408 SetThreadContext
0x14019b410 FlushInstructionCache
0x14019b418 VirtualAlloc
0x14019b420 VirtualProtect
0x14019b428 VirtualFree
0x14019b430 QueryInformationJobObject
0x14019b438 GetModuleHandleW
0x14019b440 GetModuleHandleExW
0x14019b448 GetProcessAffinityMask
0x14019b450 InitializeContext
0x14019b458 GetEnabledXStateFeatures
0x14019b460 SetXStateFeaturesMask
0x14019b468 InitializeCriticalSectionEx
0x14019b470 GetSystemTimeAsFileTime
0x14019b478 DebugBreak
0x14019b480 WaitForSingleObject
0x14019b488 SleepEx
0x14019b490 GlobalMemoryStatusEx
0x14019b498 GetSystemInfo
0x14019b4a0 GetLogicalProcessorInformation
0x14019b4a8 GetLogicalProcessorInformationEx
0x14019b4b0 GetLargePageMinimum
0x14019b4b8 VirtualUnlock
0x14019b4c0 VirtualAllocExNuma
0x14019b4c8 IsProcessInJob
0x14019b4d0 GetNumaHighestNodeNumber
0x14019b4d8 GetProcessGroupAffinity
0x14019b4e0 K32GetProcessMemoryInfo
0x14019b4e8 RtlUnwindEx
0x14019b4f0 IsProcessorFeaturePresent
0x14019b4f8 SetUnhandledExceptionFilter
0x14019b500 UnhandledExceptionFilter
0x14019b508 IsDebuggerPresent
0x14019b510 RtlVirtualUnwind
0x14019b518 RtlLookupFunctionEntry
0x14019b520 RtlCaptureContext
0x14019b528 InitializeSListHead
0x14019b530 GetCurrentProcessId
ole32.dll
0x14019b6f0 CoUninitialize
0x14019b6f8 CoTaskMemAlloc
0x14019b700 CoGetApartmentType
0x14019b708 CoCreateGuid
0x14019b710 CoTaskMemFree
0x14019b718 CoWaitForMultipleHandles
0x14019b720 CoInitializeEx
api-ms-win-crt-math-l1-1-0.dll
0x14019b580 __setusermatherr
0x14019b588 ceil
api-ms-win-crt-heap-l1-1-0.dll
0x14019b540 calloc
0x14019b548 free
0x14019b550 _callnewh
0x14019b558 _set_new_mode
0x14019b560 malloc
api-ms-win-crt-string-l1-1-0.dll
0x14019b670 wcsncmp
0x14019b678 strncpy_s
0x14019b680 _stricmp
0x14019b688 strcpy_s
0x14019b690 strcmp
0x14019b698 _wcsicmp
api-ms-win-crt-runtime-l1-1-0.dll
0x14019b598 _c_exit
0x14019b5a0 _register_thread_local_exe_atexit_callback
0x14019b5a8 _get_initial_wide_environment
0x14019b5b0 _cexit
0x14019b5b8 __p___wargv
0x14019b5c0 __p___argc
0x14019b5c8 _exit
0x14019b5d0 exit
0x14019b5d8 _initterm_e
0x14019b5e0 _initterm
0x14019b5e8 terminate
0x14019b5f0 _crt_atexit
0x14019b5f8 _initialize_wide_environment
0x14019b600 _register_onexit_function
0x14019b608 _initialize_onexit_table
0x14019b610 _configure_wide_argv
0x14019b618 _set_app_type
0x14019b620 _seh_filter_exe
0x14019b628 abort
api-ms-win-crt-stdio-l1-1-0.dll
0x14019b638 __stdio_common_vsprintf_s
0x14019b640 __stdio_common_vsscanf
0x14019b648 __stdio_common_vfprintf
0x14019b650 __acrt_iob_func
0x14019b658 _set_fmode
0x14019b660 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
0x14019b570 _configthreadlocale
EAT(Export Address Table) Library
0x140261360 DotNetRuntimeDebugHeader