lsass.exe

The executable lsass.exe has been detected as malware by 23 anti-virus scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from m.xxxl84675900374.com and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 1001.
MD5:
9d8f08c4f8401a6a7651065068b2d9e3

SHA-1:
139b0cf7965d1b9424705f379f1c62d380711ba7

SHA-256:
d4735c1fe53898487e5e588741cae22928ef32c27d93214d3ad36239f19b5dd9

Scanner detections:
23 / 68

Status:
Malware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/29/2024 7:08:30 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.13166951
5664641

Agnitum Outpost
Trojan.CoinMiner
7.1.1

avast!
Win64:Malware-gen
150319-1

AVG
Atros
2016.0.3109

Baidu Antivirus
Hacktool.Win64.BitCoinMiner
4.0.3.15514

Bitdefender
Trojan.Generic.13166951
1.0.20.670

Bkav FE
W64.HfsAutoA
1.3.0.6379

Comodo Security
UnclassifiedMalware
22109

Emsisoft Anti-Malware
Trojan.Generic.13166951
15.05.14

ESET NOD32
Win64/CoinMiner.X trojan
8.0.319.0

Fortinet FortiGate
W32/CoinMiner.C!tr
5/14/2015

F-Secure
Trojan.Generic.13166951
5.13.68

G Data
Trojan.Generic.13166951
15.5.25

IKARUS anti.virus
Trojan.Win64.CoinMiner
t3scan.1.8.9.0

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
15.0.0.562

McAfee
Artemis!9D8F08C4F840
5600.6765

MicroWorld eScan
Trojan.Generic.13166951
16.0.0.402

nProtect
Trojan.Generic.13166951
15.05.13.01

Panda Antivirus
Trj/Chgt.O
15.05.14.02

Sophos
Virus 'Mal/Miner-C'
5.14

Trend Micro House Call
TROJ_GEN.R08NC0RE615
7.2.134

Trend Micro
TROJ_GEN.R08NC0RE615
10.465.14

VIPRE Antivirus
Threat.4150696
39486

File size:
1.5 MB (1,591,808 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\windows\temp\lsass.exe

File PE Metadata
Compilation timestamp:
4/10/2015 9:09:22 PM

OS version:
6.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
49152:7Uf7ZGtJ4dyz3twAdq6PsA6R7Z/o8S4XpEe+x:7Uf7ef7tbqod6fb9pE

Entry address:
0x35F628

Entry point:
E9, D3, 73, EF, FF, 0F, 84, 09, 00, 00, 00, FE, C1, 66, 39, C7, 66, 89, E1, 50, 66, 21, C0, 48, 89, D9, F9, F5, 66, D3, C0, 48, 83, EC, 20, 48, 8D, 87, 02, F0, 4C, 61, 48, 0F, C8, 48, 8D, 05, 9F, 51, 05, 00, E9, A4, 5C, F0, FF, 2C, 3B, 96, B7, 51, FF, E1, 1C, 16, 1B, 78, DE, 7E, DE, 2E, 14, 2E, E8, CE, 6F, C9, 4E, C9, 8B, D5, EE, 98, 96, 20, 31, DC, 56, 30, EA, 44, A6, B0, FA, 34, CE, 68, EA, C3, E8, 23, CD, 47, B9, A3, 05, 1E, 04, A3, 68, 7B, A0, 12, 84, 1D, 8F, E0, 93, 14, 84, 9A, 79, 99, A9, CA, 7C, CD...
 
[+]

Entropy:
7.9330

Packer / compiler:
Xtreme-Protector v1.05

Code size:
684 KB (700,416 bytes)

The file lsass.exe has been seen being distributed by the following 50 URLs.

http://m.xxxl84675900374.com/foo/pQWCzL9KuzMJy27NmT9_5w/1458139751/.../lsass.exe

http://m.girl8349237543.com/foo/jEFsmIuJoISSO_LWOWNUrw/1437336404/.../lsass.exe

http://m.cn94857395.com/foo/NDwwOWecK7HOajexUMklMg/1455365395/.../lsass.exe

http://m.icolor19495344.com/foo/jiNFK0kziTZfqzS7SG4ZNw/1441709732/.../lsass.exe

http://m.sony4gamesman.com/foo/rS8vedlIcgc8w5ZB0Y6mNg/1470940460/.../lsass.exe

http://m.sony4gamesman.com/foo/35xOD0ppk3-NOa1kST-_kA/1468243020/.../lsass.exe

http://m.sony4gamesman.com/foo/bFm_TlEGrQ4sf2bj6TeJoA/1464822234/.../lsass.exe

http://m.xxxl84675900374.com/foo/XkKf1X9GAQu7cjlCccK0QQ/1446293912/.../lsass.exe

http://m.icolor19495344.com/foo/ZOQv6ZVZZKU0QXH85X0Rpw/1446973204/.../lsass.exe

http://m.xxxl84675900374.com/foo/12hd7pndGickebGeXiNvBA/1455360800/.../lsass.exe

http://m.icolor19495344.com/foo/uDazDOvk4_tyrNSLbD3OEg/1458588407/.../lsass.exe

http://m.xxxl84675900374.com/foo/XFrmvMs2nzOTzk0o8qyz5Q/1472783273/.../lsass.exe

http://m.icolor19495344.com/foo/26n4OLTmpWx_S7n3o4wGOA/1433780551/.../lsass.exe

http://m.icolor19495344.com/foo/6ts6iP1PtR30vF1Svpr3tA/1456943371/.../lsass.exe

http://m.sony4gamesman.com/foo/MI4HD1BvDrF8Wb7o-GEuUA/1470805429/.../lsass.exe

http://m.sony4gamesman.com/foo/4ZDjKZDKclB0cR-47E0qXg/1469351312/.../lsass.exe

http://m.icolor19495344.com/foo/T9H_k4blW9WvP-9C7O0v4A/1465950685/.../lsass.exe

http://m.icolor19495344.com/foo/ar4qCWoJE4fmLdaIlv0YMQ/1431158619/.../lsass.exe

http://m.sony4gamesman.com/foo/ki_Ce7pX6x9_R_p9h0-NSA/1472904582/.../lsass.exe

http://m.cn94857395.com/foo/SLIE-MBKGLsCOcuJjM7HFg/1472764506/.../lsass.exe

http://m.cn94857395.com/foo/M_m8ONimLhgl-6eOOE0iog/1453125255/.../lsass.exe

http://m.xxxl84675900374.com/foo/AhDZ6jsdsQvcBR3acdQncQ/1452398691/.../lsass.exe

http://m.sony4gamesman.com/foo/aiixdMYFiMkdY5xIsU0_Qg/1471725794/.../lsass.exe

http://m.cn94857395.com/foo/edSUwTd-yDbq73_XssHrOw/1462603847/.../lsass.exe

http://m.sony4gamesman.com/foo/XS5vV1uV3e81vSeTn2Zqew/1471959927/.../lsass.exe

http://m.xxxl84675900374.com/foo/zHDCZ5lYLLOzG3Fuv2qUww/1464415877/.../lsass.exe

http://m.sony4gamesman.com/foo/k6b-VjjztDfDHYWweEsW9Q/1469450587/.../lsass.exe

http://m.xxxl84675900374.com/foo/broJI4zS4luIBq_0BThYxw/1465348117/.../lsass.exe

Latest 30 of 101 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to hosted-by.leaseweb.com  (46.165.232.77:1001)

Remove lsass.exe - Powered by Reason Core Security