Play interactive tour

Edit tour

Analysis Report csrss.exe

Overview

General Information

Sample Name:	csrss.exe
Analysis ID:	339538
MD5:	fd7d9bb7dc87ec1f9eb4bea4a2b1f599
SHA1:	d309fd468186aece5ac95236fe43caf117b1ace1
SHA256:	24a8019e1a5b4ffee8c7884fa515767d939a86ee3d378f1448dbe7730daffb3f
Most interesting Screenshot:

Detection

Glupteba

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Glupteba

Found Tor onion address

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Checks if the current process is being debugged

May use bcdedit to modify the Windows boot settings

One or more processes crash

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Startup

System is w10x64

csrss.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\csrss.exe' MD5: FD7D9BB7DC87EC1F9EB4BEA4A2B1F599)

WerFault.exe (PID: 6764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
csrss.exe	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: csrss.exe PID: 6712	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.csrss.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0.2.csrss.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: csrss.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: csrss.exe

Virustotal: Detection: 43%

Perma Link

Yara detected Glupteba

Show sources

Source: Yara match	File source: csrss.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: csrss.exe

Joe Sandbox ML: detected

Bitcoin Miner:

Yara detected Glupteba

Show sources

Source: Yara match	File source: csrss.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

Source: csrss.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED

Networking:

Found Tor onion address

Show sources

Source: csrss.exe, 00000000.00000000.212853324.0000000000750000.00000002.00020000.sdmp	String found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject
Source: csrss.exe, 00000000.00000000.212853324.0000000000750000.00000002.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprocess is created WUPprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codeunexpected payload: %swirep: invalid p statewrite on closed bufferzero length BIT STRING into Go value of type %s/upload/%s/samples/%s) must be a power of 2
Source: csrss.exe, 00000000.00000000.212853324.0000000000750000.00000002.00020000.sdmp	String found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObjectPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write t
Source: csrss.exe, 00000000.00000000.212862901.0000000000769000.00000002.00020000.sdmp	String found in binary or memory: sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not supported before TLS 1.2tls: peer doesn't support any common signature algorithmstls: server selected an invalid PSK and cipher suite pairtls: server sent an unnecessary HelloRetryRequest messageLynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8dMidori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2)Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16Value looks like object, but can't find closing '}' symbolhttp2: client connection force closed via ClientConn.Closejson: cannot set embedded pointer to unexported struct: %vruntime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequestELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41)HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\RunMozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5RoundTripper returned a response & error; ignoring responsebufio.Scanner: SplitFunc returns advance count beyond inputhttp2: Transport received Server's graceful shutdown GOAWAYsync/atomic: store of inconsistently typed value into Valuesync: WaitGroup is reused before previous Wait has returnedtls: server resumed a session with a different cipher suitetls: server selected TLS 1.3 using the legacy version fieldKonqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode)Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1archive/zip: TOC declares impossible %d files in %d byte zipmalformed response from server: missing status pseudo headernet/http: server response headers exceeded %d bytes; abortedtls: initial handshake had non-empty renegotiation extensiontls: no supported versions satisfy MinVersion and MaxVersionFeedFetcher-Google; ( http://www.google.com/feedfetcher.html)HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\ProcessesMozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoNokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0net/http: invalid Cookie.Domain %q; dropping domain attributetls: certificate private key does not implement crypto.Signertls: server sent a ServerHello extension forbidden in TLS 1.3tls: unsupported certificate: private key is %T, expected *%Tx509: failed to parse URI constraint %q: cannot be IP address0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZMozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0Mozilla/5.0 (Android; Mobile; rv:35.0) Gecko/35.0 Firefox/35.0Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0aNokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1Opera/9.80 (Window
Source: csrss.exe	String found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject
Source: csrss.exe	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprocess is created WUPprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codeunexpected payload: %swirep: invalid p statewrite on closed bufferzero length BIT STRING into Go value of type %s/upload/%s/samples/%s) must be a power of 2
Source: csrss.exe	String found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObjectPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write t
Source: csrss.exe	String found in binary or memory: sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not supported before TLS 1.2tls: peer doesn't support any common signature algorithmstls: server selected an invalid PSK and cipher suite pairtls: server sent an unnecessary HelloRetryRequest messageLynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8dMidori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2)Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16Value looks like object, but can't find closing '}' symbolhttp2: client connection force closed via ClientConn.Closejson: cannot set embedded pointer to unexported struct: %vruntime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequestELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41)HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\RunMozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5RoundTripper returned a response & error; ignoring responsebufio.Scanner: SplitFunc returns advance count beyond inputhttp2: Transport received Server's graceful shutdown GOAWAYsync/atomic: store of inconsistently typed value into Valuesync: WaitGroup is reused before previous Wait has returnedtls: server resumed a session with a different cipher suitetls: server selected TLS 1.3 using the legacy version fieldKonqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode)Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1archive/zip: TOC declares impossible %d files in %d byte zipmalformed response from server: missing status pseudo headernet/http: server response headers exceeded %d bytes; abortedtls: initial handshake had non-empty renegotiation extensiontls: no supported versions satisfy MinVersion and MaxVersionFeedFetcher-Google; ( http://www.google.com/feedfetcher.html)HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\ProcessesMozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoNokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0net/http: invalid Cookie.Domain %q; dropping domain attributetls: certificate private key does not implement crypto.Signertls: server sent a ServerHello extension forbidden in TLS 1.3tls: unsupported certificate: private key is %T, expected *%Tx509: failed to parse URI constraint %q: cannot be IP address0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZMozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0Mozilla/5.0 (Android; Mobile; rv:35.0) Gecko/35.0 Firefox/35.0Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0aNokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1Opera/9.80 (Window

Source: csrss.exe	String found in binary or memory: http://anydesk.cz/objednat
Source: csrss.exe	String found in binary or memory: http://duckduckgo.com/?q=http://www.google.com/?q=iTunes/9.0.2
Source: csrss.exe	String found in binary or memory: http://localhost:3433/icarus.tetradrachm.netidna:
Source: csrss.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: csrss.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)multipart/form-data
Source: csrss.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: csrss.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: csrss.exe	String found in binary or memory: http://www.google.ru/?hl=ru&q=illegal
Source: csrss.exe	String found in binary or memory: http://www.search.com/web?q=invalid
Source: csrss.exe	String found in binary or memory: https://2makestorage.comhttps://easywbdesign.comidna:
Source: csrss.exe	String found in binary or memory: https://babsitef.cominvalid
Source: csrss.exe	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nel)
Source: csrss.exe	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nel9
Source: csrss.exe	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nelc
Source: csrss.exe	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload-nel:
Source: csrss.exe	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload-neld
Source: csrss.exe	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload-nel;X
Source: csrss.exe	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload-neleX
Source: csrss.exe	String found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload-nelfY
Source: csrss.exe	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nel-Y
Source: csrss.exe	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nel=Y
Source: csrss.exe	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nelgY
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload-nel.Y
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload-nelhY
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-nel/Y
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-nel?Y
Source: csrss.exe	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-neliY
Source: csrss.exe	String found in binary or memory: https://blockchain.infoindex
Source: csrss.exe	String found in binary or memory: https://clients2.google.com/domainreliability/upload-nel
Source: csrss.exe	String found in binary or memory: https://clients2.google.com/domainreliability/upload-nel(Y
Source: csrss.exe	String found in binary or memory: https://clients2.google.com/domainreliability/upload-nel0Y
Source: csrss.exe	String found in binary or memory: https://clients2.google.com/domainreliability/upload-neljY
Source: csrss.exe	String found in binary or memory: https://easywbdesign.com/api/install-failureiTunes/4.2
Source: csrss.exe	String found in binary or memory: https://policies.google.com/privacy
Source: csrss.exe	String found in binary or memory: https://sndvoices.comimage:
Source: csrss.exe	String found in binary or memory: https://swebgames.site/smbid
Source: csrss.exe	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)couldn
Source: csrss.exe	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html

E-Banking Fraud:

Yara detected Glupteba

Show sources

Source: Yara match	File source: csrss.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272

Source: csrss.exe, 00000000.00000002.217676971.000000000090F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameKernelbasej% vs csrss.exe
Source: csrss.exe, 00000000.00000000.212802673.0000000000718000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemfps.dllj% vs csrss.exe
Source: csrss.exe	Binary or memory string: OriginalFilenamemfps.dllj% vs csrss.exe
Source: csrss.exe	Binary or memory string: OriginalFilenameKernelbasej% vs csrss.exe

Source: csrss.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED

Source: csrss.exe

Binary string: \Device\HarddiskVolume2\Users\LKDR\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\29bf4ec1aa2307ea_0b}

Source: classification engine

Classification label: mal76.troj.evad.winEXE@2/0@0/0

Source: csrss.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\csrss.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: SELECT ALL id FROM %s;
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);

Source: csrss.exe

Virustotal: Detection: 43%

Source: csrss.exe	String found in binary or memory: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe/bots/report-install37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemoryInfoGetWindowsDirectoryWGlobal\wupEvent31337IDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]asn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get DI bitscouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchdoublepulsar: %s: %selectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comevent does not existfloating point errorforcegc: phase errorgc_trigger underflowget-unverified-filesgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedhttps://babsitef.cominvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersmutex does not existno such struct fieldnon-empty swept listnot an integer classnot enough argumentsnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubregistry-get-startuproot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected method IDunexpected network: unknown address typeuser is not an adminwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found gp.gcscanvalid=true
Source: csrss.exe	String found in binary or memory: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe/bots/report-install37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemoryInfoGetWindowsDirectoryWGlobal\wupEvent31337IDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]asn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get DI bitscouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchdoublepulsar: %s: %selectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comevent does not existfloating point errorforcegc: phase errorgc_trigger underflowget-unverified-filesgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedhttps://babsitef.cominvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersmutex does not existno such struct fieldnon-empty swept listnot an integer classnot enough argumentsnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubregistry-get-startuproot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected method IDunexpected network: unknown address typeuser is not an adminwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found gp.gcscanvalid=true
Source: csrss.exe	String found in binary or memory: *,identity,gzip,deflate/bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainCreateProcessWithLogonWCreateProcessWithTokenWDeleteVolumeMountPointWDestroyEnvironmentBlockDownload Demon/3.5.0.11E. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetLogicalDriveStringsWGetSidSubAuthorityCountGetSystemTimeAsFileTimeGlobal\Mp6c3Ygukx29GbDkGlobal\ewzy5hgt3x5sof4vGlobal\h48yorbq6rm87zotGlobal\y7ze3fznx1u0yc2zGreenland Standard TimeGreenwich Standard TimeImpersonateLoggedOnUserLogical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointOSArchitecture is emptyQueryServiceLockStatusWSERVER_TRAFFIC_SECRET_0SafeArrayCreateVectorExSetEnvironmentVariableWSetInformationJobObjectSetProcessPriorityBoostSetThreadExecutionStateSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVariant Also NegotiatesVariantTimeToSystemTimeVenezuela Standard TimeW. Europe Standard TimeWSAGetOverlappedResult
Source: csrss.exe	String found in binary or memory: *,identity,gzip,deflate/bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainCreateProcessWithLogonWCreateProcessWithTokenWDeleteVolumeMountPointWDestroyEnvironmentBlockDownload Demon/3.5.0.11E. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetLogicalDriveStringsWGetSidSubAuthorityCountGetSystemTimeAsFileTimeGlobal\Mp6c3Ygukx29GbDkGlobal\ewzy5hgt3x5sof4vGlobal\h48yorbq6rm87zotGlobal\y7ze3fznx1u0yc2zGreenland Standard TimeGreenwich Standard TimeImpersonateLoggedOnUserLogical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointOSArchitecture is emptyQueryServiceLockStatusWSERVER_TRAFFIC_SECRET_0SafeArrayCreateVectorExSetEnvironmentVariableWSetInformationJobObjectSetProcessPriorityBoostSetThreadExecutionStateSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVariant Also NegotiatesVariantTimeToSystemTimeVenezuela Standard TimeW. Europe Standard TimeWSAGetOverlappedResultWest Asia Standard TimeWest Bank Standard Time" not found in registry", missing CPU support
Source: csrss.exe	String found in binary or memory: > (den<<shift)/2unable to get data structureunexpected end of JSON inputunexpected protocol version update couldn't execute file cannot be converted to type 45474735088646411895751953125Adobe Application Manager 2.0Central America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeGetSystemPreferredUILanguagesGetThreadPreferredUILanguagesGetVolumeInformationByHandleWHuffman table has zero lengthLockOSThread nesting overflowMicrosoft Security EssentialsMon, 02 Jan 2006 15:04:05 GMTMon, 02 Jan 2006 15:04:05 MSTMon, 02-Jan-2006 15:04:05 MSTN. Central Asia Standard TimeNon-Authoritative InformationNorth Asia East Standard TimeProxy Authentication RequiredSWbemServices has been closedScreaming Frog SEO Spider/8.1Standard VGA Graphics AdapterTime.UnmarshalBinary: no dataUnavailable For Legal ReasonsWinmonSystemMonitor-10-64.sysaddspecial on invalid pointerbad spectral selection boundsbufio.Scanner: token too longcouldn't create smb directorycouldn't get current filenamecouldn't listen and serve SMBcouldn't query service configcouldn't set servers versionscrypto/aes: invalid key size crypto/des: invalid key size crypto/rc4: invalid key size dup idle pconn %p in freelistelectrum.festivaldelhumor.orgelectrumx.electricnewyear.netexec: Wait was already calledfailed to copy old config: %wfailed to get MAC-address: %wfailed to get campaign ID: %wfailed to parse server %s: %wfailed to prepare command: %wfailed to set campaign ID: %wfailed to set secure boot: %wgc done but gcphase != _GCoffgfput: bad status (not Gdead)http2: client conn not usablehttp: idle connection timeoutinteger not minimally-encodedinternal error: took too muchinvalid character class rangeinvalid header field value %qinvalid length of trace eventio: read/write on closed pipeluma/chroma subsampling ratiomachine is not on the networkmime: invalid media parametermismatched local address typeneed padding in bucket (elem)no XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progresspadding contained in alphabetprotocol family not supportedreflect: Elem of invalid typereflect: Out of non-func typerepeated component identifierruntime.semasleep wait_failedruntime: impossible type kindruntime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: stat underflow: val runtime: sudog with non-nil cruntime: unknown pc in defer semacquire not on the G stackspecified name does not existstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtls: DialWithDialer timed outtls: invalid NextProtos valuetls: invalid client key sharetls: invalid server key sharetls: too many ignored recordstls: use of closed connectiontoo many open files in systemunknown IP protocol specifiedunknown certificate authorityx509: cannot parse URI %q: %sx509: cannot parse dnsName %qzero length OBJECT IDENTIFIERzip: FileHeader.Name too long (types from different scopes) in prepareForSweep; sweepge
Source: csrss.exe	String found in binary or memory: tls: client's Finished message is incorrecttls: received malformed key_share extensiontls: unsupported signature algorithm: %#04xtransform: inconsistent byte count returnedunknown runnable goroutine during bootstrapuuid: incorrect UUID length %d in string %qx509: Common Name is not a valid hostname: x509: failed to parse dnsName constraint %q using value obtained using unexported fieldHKEY_USERS\%s\Software\EpicNet Inc.\CloudNetMSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23Mozilla/4.77 [en] (X11; I; IRIX;64 6.5 IP30)cipher: NewGCM requires 128-bit block ciphercouldn't determine whether token is elevatedcouldn't determine whether user is admin: %scouldn't get scripthash transactions historycouldn't install WinmonProcessMonitor drivercrypto/sha256: invalid hash state identifiercrypto/sha512: invalid hash state identifierencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkhttp2: could not negotiate protocol mutuallyhttp2: invalid Connection request header: %qhttp: Request.ContentLength=%d with nil Bodyhttp: putIdleConn: too many idle connectionshttps://easywbdesign.com/api/install-failureiTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2)insufficient data for calculated length typemime: unexpected content after media subtypeout of memory allocating heap arena metadatareflect: funcLayout with interface receiver reflect: slice length out of range in SetLensmbtest %v is likely VULNERABLE to MS17-010!tls: failed to verify client's certificate: tls: invalid certificate signature algorithmtls: server sent an incorrect legacy versiontls: server's Finished message was incorrectuse of WriteTo with pre-connected connectionx509: internal error: cannot parse domain %q (Client.Timeout exceeded while reading body)((?:[0-9A-Fa-f]{2}[:-]){5}(?:[0-9A-Fa-f]{2}))Opera/9.20 (Macintosh; Intel Mac OS X; U; en)SELECT BuildNumber FROM Win32_OperatingSystemValue is number, but overflowed while parsingcannot send after transport endpoint shutdowncharacter string exceeds maximum length (255)context: internal error: missing cancel errorcouldn't determine whether service is runningexitsyscall: syscall frame is no longer validheapBitsSetType: called with non-pointer typehttp: no Client.Transport or DefaultTransporthttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.Opaque = %qjson.RawMessage: UnmarshalJSON on nil pointermath/big: cannot unmarshal %q into a *big.Intnet/http: internal error: connCount underflowparsing/packing of this section has completedreflect: internal error: invalid method indexreflect: nil type passed to Type.AssignableToruntime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicalx509: IP constraint contained invalid mask %xx509: certificate signed by unknown authorityzero length explicit tag was not an asn1.FlagELinks (0.4pre5; Linux 2.6.10-ac7 i686; 80x33)Mozilla/4.0 (PSP (PlayStation P
Source: csrss.exe	String found in binary or memory: 148.190.214.125.in-addr.arpa.
Source: csrss.exe	String found in binary or memory: /tmp/371638379/src/application/app/install.go
Source: csrss.exe	String found in binary or memory: /tmp/371638379/src/application/resilience/btcblockchain/address.go

Source: unknown	Process created: C:\Users\user\Desktop\csrss.exe 'C:\Users\user\Desktop\csrss.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272

Source: csrss.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: csrss.exe

Static file information: File size 7421952 > 1048576

Source: csrss.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2bd000
Source: csrss.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x30e000
Source: csrss.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x146000

Source: csrss.exe

Static PE information: section name: .symtab

Source: csrss.exe	Binary or memory string: flate: internal error: garbage collection scangcDrain phase incorrecthttp2: handler panickedhttp2: invalid trailershttp: request too largehttps://blockchain.infoindex out of range [%x]interrupted system callinvalid URI for requestinvalid escape sequenceinvalid m->lockedInt = json: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing 0xff00 sequencemissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffpoll signature verifiedprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallregistry: path is emptyruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: physPageSize= runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longservice needs an updatespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpected Huffman codeunexpected address typeunexpected map key typeunknown error code 0x%xunsupported certificatevarint integer overflowwork.nwait > work.nproc%s\Sysnative\bcdedit.exe/bots/post-ia-data?uuid=116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotGenerateConsoleCtrlEventGetProcessImageFileNameWGetSystemTimeAsFileTime
Source: csrss.exe	Binary or memory string: flate: internal error: garbage collection scangcDrain phase incorrecthttp2: handler panickedhttp2: invalid trailershttp: request too largehttps://blockchain.infoindex out of range [%x]interrupted system callinvalid URI for requestinvalid escape sequenceinvalid m->lockedInt = json: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing 0xff00 sequencemissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffpoll signature verifiedprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallregistry: path is emptyruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: physPageSize= runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longservice needs an updatespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpected Huffman codeunexpected address typeunexpected map key typeunknown error code 0x%xunsupported certificatevarint integer overflowwork.nwait > work.nproc%s\Sysnative\bcdedit.exe/bots/post-ia-data?uuid=116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotGenerateConsoleCtrlEventGetProcessImageFileNameWGetSystemTimeAsFileTimeGetUserProfileDirectoryWGetWindowThreadProcessIdMagallanes Standard TimeMontevideo Standard TimeMozilla/2.02E (Win95; U)North Asia Standard TimePacific SA Standard TimeQueryPerformanceCounterRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorUS Eastern Standard Time", required CPU feature

Source: C:\Users\user\Desktop\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: csrss.exe

Binary or memory string: , S.BASE()=, S.NPAGES=, SETTINGS:.WITHCANCEL/API/REPORT/APP/VC.EXE/DEV/STDERR/DEV/STDOUT/INDEX.HTML30517578125: FRAME.SP=; MAX-AGE=0<INVALID OPBAD GATEWAYBAD REQUESTCLASSHESIODCLOSEHANDLECLOSEWINDOWCOGETOBJECTCOOKIE.PATHCREATEFILEWDELETEFILEWDISPLAYNAMEE-X.NOT.FYIENABLE_PUSHEND_HEADERSEARLY HINTSENUMWINDOWSEXITPROCESSFREELIBRARYGOTRACEBACKGETFILESIZEGETFILETYPEGETMESSAGEWHTTPS_PROXYISO 8859-10ISO 8859-13ISO 8859-14ISO 8859-15ISO 8859-16ISO-8859-6EISO-8859-6IISO-8859-8EISO-8859-8IIDEOGRAPHICIN-REPLY-TOINSTCAPTUREINSTRUNEANYINSTALLDATEMACHINEGUIDMEDEFAIDRINMESSAGEBOXWMOVEFILEEXWNETSHAREADDNETSHAREDELNEW_TAI_LUEOLD_PERSIANOLD_SOGDIANOPENPROCESSPRIVATE KEYPAU_CIN_HAUREAD %Q: %VREGCLOSEKEYRETURN-PATHSYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDERWINDOWS 874[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONATTACK_TYPEBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGETPEERNAMEGETSOCKNAMEHOST IS NILHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTNOTIFY-HOSTORANNIS.COMRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECUR32.DLLSHELL32.DLLSHORT WRITETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUPDATE-DATAUPLOAD-FILEUSERENV.DLLVERSION=177VM DETECTEDVMUSRVC.EXEWININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: csrss.exe	Binary or memory string: unknown network verify-signatureworkbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%d-%02d-%02d %02d/bots/update-data0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCreateStdDispatchData[compaign_id]DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIBM Code Page 037IBM Code Page 437IBM Code Page 850IBM Code Page 852IBM Code Page 855IBM Code Page 860IBM Code Page 862IBM Code Page 863IBM Code Page 865IBM Code Page 866If-Modified-SinceLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't hide WUPcouldn't hide appcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfilename is emptyfractional secondget-logfile-proxygp.waiting != nilgroom_allocationshandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunexpected app IDunknown caller pcwait for GC cyclewine_get_version
Source: csrss.exe	Binary or memory string: is unavailable%d smbtest done()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCDN updated: %sCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWData[exploited]DefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommandLineWGetProcessTimesGetSecurityInfoGetStartupInfoWHanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
Source: csrss.exe	Binary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
Source: csrss.exe	Binary or memory string: entersyscalleternalblue:event-existsexit status found av: %sgcpacertraceget_app_namegetaddrinfowgot TI tokenhost is downhttp2debug=1http2debug=2illegal seekinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmutex-existsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangepointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffertransmitfileulrichard.chunexpected )unknown portunknown typeurl is emptyvmtoolsd.exewatchdog.exewinlogon.exewirep: p->m=wtsapi32.dll != sweepgen MB released
Source: csrss.exe	Binary or memory string: unixpacketunknown pcupdate-cdnuser-agentuser32.dllvmsrvc.exewildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
Source: csrss.exe	Binary or memory string: , s.base()=, s.npages=, settings:.WithCancel/api/report/app/vc.exe/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad GatewayBad RequestClassHESIODCloseHandleCloseWindowCoGetObjectCookie.PathCreateFileWDeleteFileWDisplayNameE-X.not.fyiENABLE_PUSHEND_HEADERSEarly HintsEnumWindowsExitProcessFreeLibraryGOTRACEBACKGetFileSizeGetFileTypeGetMessageWHTTPS_PROXYISO 8859-10ISO 8859-13ISO 8859-14ISO 8859-15ISO 8859-16ISO-8859-6EISO-8859-6IISO-8859-8EISO-8859-8IIdeographicIn-Reply-ToInstCaptureInstRuneAnyInstallDateMachineGuidMedefaidrinMessageBoxWMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRead %q: %vRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefenderWindows 874[:^xdigit:]\dsefix.exealarm clockapplicationattack_typebad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamehost is nilhttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextnotify-hostorannis.comraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableupdate-dataupload-fileuserenv.dllversion=177vm detectedvmusrvc.exewininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
Source: csrss.exe	Binary or memory string: /app/app.exe100-continue152587890625762939453125Bidi_ControlCDN is emptyCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocWindows 1250Windows 1251Windows 1252Windows 1253Windows 1254Windows 1255Windows 1256Windows 1257Windows 1258Winmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycloudnet.execontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc

Source: C:\Users\user\Desktop\csrss.exe

Process queried: DebugPort

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Stealing of Sensitive Information:

Yara detected Glupteba

Show sources

Source: Yara match	File source: csrss.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Glupteba

Show sources

Source: Yara match	File source: csrss.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Bootkit1	Process Injection1	Bootkit1	OS Credential Dumping	Security Software Discovery111	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Proxy1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
csrss.exe	44%	Virustotal		Browse
csrss.exe	100%	Avira	TR/Crypt.XPACK.Gen
csrss.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.csrss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.csrss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://babsitef.cominvalid	0%	Avira URL Cloud	safe
https://beacons5.gvt3.com/domainreliability/upload-neliY	0%	Avira URL Cloud	safe
https://beacons5.gvt3.com/domainreliability/upload-nel/Y	0%	Avira URL Cloud	safe
https://easywbdesign.com/api/install-failureiTunes/4.2	0%	Avira URL Cloud	safe
https://beacons4.gvt2.com/domainreliability/upload-nel-Y	0%	Avira URL Cloud	safe
https://beacons5.gvt2.com/domainreliability/upload-nel.Y	0%	Avira URL Cloud	safe
https://2makestorage.comhttps://easywbdesign.comidna:	0%	Avira URL Cloud	safe
https://beacons.gcp.gvt2.com/domainreliability/upload-nel)	0%	Avira URL Cloud	safe
https://beacons3.gvt2.com/domainreliability/upload-nelfY	0%	Avira URL Cloud	safe
https://beacons2.gvt2.com/domainreliability/upload-neleX	0%	Avira URL Cloud	safe
https://beacons4.gvt2.com/domainreliability/upload-nelgY	0%	Avira URL Cloud	safe
https://beacons5.gvt2.com/domainreliability/upload-nelhY	0%	Avira URL Cloud	safe
https://beacons.gcp.gvt2.com/domainreliability/upload-nel9	0%	Avira URL Cloud	safe
http://anydesk.cz/objednat	0%	Avira URL Cloud	safe
https://beacons.gvt2.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe
https://sndvoices.comimage:	0%	Avira URL Cloud	safe
https://beacons.gvt2.com/domainreliability/upload-nel:	0%	Avira URL Cloud	safe
https://swebgames.site/smbid	0%	Avira URL Cloud	safe
https://blockchain.infoindex	0%	Avira URL Cloud	safe
https://beacons.gcp.gvt2.com/domainreliability/upload-nelc	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/00.62	0%	Avira URL Cloud	safe
https://beacons.gvt2.com/domainreliability/upload-neld	0%	Avira URL Cloud	safe
https://beacons5.gvt3.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe
https://beacons5.gvt3.com/domainreliability/upload-nel?Y	0%	Avira URL Cloud	safe
https://beacons2.gvt2.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe
https://beacons4.gvt2.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe
https://beacons4.gvt2.com/domainreliability/upload-nel=Y	0%	Avira URL Cloud	safe
https://beacons.gcp.gvt2.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe
https://beacons2.gvt2.com/domainreliability/upload-nel;X	0%	Avira URL Cloud	safe
https://beacons3.gvt2.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe
https://beacons5.gvt2.com/domainreliability/upload-nel	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://babsitef.cominvalid	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt3.com/domainreliability/upload-neliY	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt3.com/domainreliability/upload-nel/Y	csrss.exe	false	Avira URL Cloud: safe	unknown
https://easywbdesign.com/api/install-failureiTunes/4.2	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons4.gvt2.com/domainreliability/upload-nel-Y	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt2.com/domainreliability/upload-nel.Y	csrss.exe	false	Avira URL Cloud: safe	unknown
https://2makestorage.comhttps://easywbdesign.comidna:	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons.gcp.gvt2.com/domainreliability/upload-nel)	csrss.exe	false	Avira URL Cloud: safe	unknown
http://search.msn.com/msnbot.htm)msnbot/1.1	csrss.exe	false		high
https://beacons3.gvt2.com/domainreliability/upload-nelfY	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons2.gvt2.com/domainreliability/upload-neleX	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons4.gvt2.com/domainreliability/upload-nelgY	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt2.com/domainreliability/upload-nelhY	csrss.exe	false	Avira URL Cloud: safe	unknown
http://www.google.ru/?hl=ru&q=illegal	csrss.exe	false		high
https://beacons.gcp.gvt2.com/domainreliability/upload-nel9	csrss.exe	false	Avira URL Cloud: safe	unknown
http://www.search.com/web?q=invalid	csrss.exe	false		high
http://anydesk.cz/objednat	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons.gvt2.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown
https://sndvoices.comimage:	csrss.exe	true	Avira URL Cloud: safe	unknown
https://beacons.gvt2.com/domainreliability/upload-nel:	csrss.exe	false	Avira URL Cloud: safe	unknown
https://swebgames.site/smbid	csrss.exe	false	Avira URL Cloud: safe	unknown
https://blockchain.infoindex	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons.gcp.gvt2.com/domainreliability/upload-nelc	csrss.exe	false	Avira URL Cloud: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/00.62	csrss.exe	false	Avira URL Cloud: safe	low
https://beacons.gvt2.com/domainreliability/upload-neld	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt3.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt3.com/domainreliability/upload-nel?Y	csrss.exe	false	Avira URL Cloud: safe	unknown
https://turnitin.com/robot/crawlerinfo.html)couldn	csrss.exe	false		high
http://search.msn.com/msnbot.htm)multipart/form-data	csrss.exe	false		high
https://beacons2.gvt2.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons4.gvt2.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons4.gvt2.com/domainreliability/upload-nel=Y	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons.gcp.gvt2.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons2.gvt2.com/domainreliability/upload-nel;X	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons3.gvt2.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown
https://beacons5.gvt2.com/domainreliability/upload-nel	csrss.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339538
Start date:	14.01.2021
Start time:	09:21:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	csrss.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@2/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): WerFault.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	4.392288563125174
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	csrss.exe
File size:	7421952
MD5:	fd7d9bb7dc87ec1f9eb4bea4a2b1f599
SHA1:	d309fd468186aece5ac95236fe43caf117b1ace1
SHA256:	24a8019e1a5b4ffee8c7884fa515767d939a86ee3d378f1448dbe7730daffb3f
SHA512:	91784903476d352c005119f19605e57c69ad060841cb74ff5e04c4e030eae5b27d9be6cb7df5d3d3d748d14d216512aeb6f32da18a4107b7e2451ec7492fb702
SSDEEP:	49152:Qx7mw76PVQcJvT5u8j0ZHS+YLg0wyGRMjYqUIX8VcqeAq7SBq9iPTmo:Qx53G10Zz0RGRMJJbo
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........o...............+...................\...@..........................@q............................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4515a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1cd364a9e949d5ecebd6c614e64bc545

Entrypoint Preview

Instruction
jmp 00007FB1D0AD6070h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov dword ptr fs:[00000034h], 00000000h
mov ebp, esp
mov ecx, dword ptr [ebx+04h]
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd
call dword ptr [ebx]
mov esp, ebp
mov ebx, dword ptr [esp+04h]
mov dword ptr [ebx+0Ch], eax
mov dword ptr [ebx+10h], edx
mov eax, dword ptr fs:[00000034h]
mov dword ptr [ebx+14h], eax
ret
int3
int3
int3
int3
sub esp, 18h
mov dword ptr [esp], FFFFFFF4h
mov ebp, esp
call dword ptr [009CC068h]
mov esp, ebp
mov dword ptr [esp], eax
mov edx, 00B0E440h
mov dword ptr [esp+04h], edx
mov edx, dword ptr [00B0DFA4h]
mov dword ptr [esp+08h], edx
lea edx, dword ptr [esp+14h]
mov dword ptr [edx], 00000000h
mov dword ptr [esp+0Ch], edx
mov dword ptr [esp+10h], 00000000h
call dword ptr [009CC020h]
mov esi, ebp
add esp, 18h
ret
int3
int3
int3
int3
mov eax, dword ptr fs:[00000034h]
mov dword ptr [esp+04h], eax
ret
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x712000	0x330	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5cc020	0x84	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2bd000	0x2bd000	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2be000	0x30e000	0x30e000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5cc000	0x146000	0x146000	False	0.451563548457	data	5.58053972832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x712000	0x1000	0x1000	False	0.112060546875	data	1.41188500771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.symtab	0x713000	0x1000	0x1000	False	0.0068359375	data	0.0032818649698	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, LoadLibraryA, LoadLibraryW, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatus, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• csrss.exe
• WerFault.exe

Click to jump to process

Memory Usage

• csrss.exe
• WerFault.exe

Click to jump to process

Behavior

• csrss.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: csrss.exe PID: 6712 Parent PID: 5656

Function Logs

General

Start time:	09:22:48
Start date:	14/01/2021
Path:	C:\Users\user\Desktop\csrss.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\csrss.exe'
Imagebase:	0x400000
File size:	7421952 bytes
MD5 hash:	FD7D9BB7DC87EC1F9EB4BEA4A2B1F599
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Analysis Process: WerFault.exe PID: 6764 Parent PID: 6712

Function Logs

General

Start time:	09:22:50
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272
Imagebase:	0x270000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report csrss.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Bitcoin Miner:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: csrss.exe PID: 6712 Parent PID: 5656

General

File Activities

File Opened

File Written

File Attributes Queried