lsass.exe

Project1

The executable lsass.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘pikachu’.
Product:
Project1

Version:
1.00

MD5:
84812d6bc28f27b0e2dcce93a2e8ec12

SHA-1:
2a21e7cff1800c693bf921972ad8fbdeb49f5632

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
11/29/2024 4:34:56 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
IRC-Worm.Generic.24658
-40

Agnitum Outpost
Worm.Chupik
7.1.1

AhnLab V3 Security
Trojan/Win32.Cosmu
2014.08.09

Avira AntiVirus
TR/Crypt.ULPM.Gen
7.11.166.32

avast!
Win32:Sality
2014.9-170316

AVG
Worm/VB
2018.0.2438

Bitdefender
IRC-Worm.Generic.24658
1.0.20.375

Bkav FE
W32.PikachuGTA
1.3.0.4959

Comodo Security
Worm.Win32.Autorun.eb0
19128

Dr.Web
Trojan.MulDrop2.63234
9.0.1.075

Emsisoft Anti-Malware
IRC-Worm.Generic.24658
8.17.03.16.09

ESET NOD32
Win32/VB.NSP
11.10226

Fortinet FortiGate
W32/VB.SDE!tr
3/16/2017

F-Prot
W32/Worm.APUJ
v6.4.7.1.166

F-Secure
IRC-Worm.Generic.24658
11.2017-16-03_5

G Data
IRC-Worm.Generic.24658
17.3.24

IKARUS anti.virus
Worm.Win32.VB
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.183.12998

Kaspersky
Trojan.Win32.Agent
14.0.0.-1317

Malwarebytes
Trojan.Agent
v2017.03.16.09

McAfee
W32/Worm-FEL!84812D6BC28F
5600.6094

Microsoft Security Essentials
Worm:Win32/Chupik.A
1.10802

MicroWorld eScan
IRC-Worm.Generic.24658
18.0.0.225

NANO AntiVirus
Trojan.Win32.MulDrop2.crsvig
0.28.2.61349

Norman
Obfuscated.CD!genr
11.20170316

nProtect
IRC-Worm.Generic.24658
14.08.08.01

Panda Antivirus
W32/Picachu.A.worm
17.03.16.09

Qihoo 360 Security
Malware.QVM01.Gen
1.0.0.1015

Quick Heal
Worm.Chupik.A3
3.17.14.00

Rising Antivirus
PE:Worm.VobfusEx!1.99E4
23.00.65.17314

Sophos
Mal/VB-F
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Pikachu
8532

Total Defense
Win32/Chupika.A
37.0.11108

Trend Micro House Call
TROJ_SPNR.02EM12
7.2.75

Trend Micro
TROJ_SPNR.02EM12
10.465.16

Vba32 AntiVirus
Worm.VB
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic.pak!cobra
32050

ViRobot
Worm.Win32.VB.110592.B
2011.4.7.4223

File size:
1.5 MB (1,560,576 bytes)

Product version:
1.00

Original file name:
pikachu.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\system\lsass.exe

File PE Metadata
Compilation timestamp:
4/15/2009 2:57:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x50860

Entry point:
60, BE, 00, 50, 44, 00, 8D, BE, 00, C0, FB, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.7989

Packer / compiler:
UPX 2.90LZMA

Code size:
48 KB (49,152 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
pikachu

Command:
C:\windows\nacl.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-52-24-5-162.us-west-2.compute.amazonaws.com  (52.24.5.162:80)

Remove lsass.exe - Powered by Reason Core Security