lsass.exe

The executable lsass.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘run32’. While running, it connects to the Internet address h30.default-host.net on port 80 using the HTTP protocol.
Version:
0.0.0.0

MD5:
27f8dd97da01a36a3b1b19584f993fc3

SHA-1:
726e6df409ff6bdd6509055ef47bd9b3d925cb2a

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 3:53:57 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader (M)
17.2.14.13

File size:
694.7 KB (711,413 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

File PE Metadata
Compilation timestamp:
7/11/2007 10:21:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

Entry address:
0x9B110

Entry point:
60, 33, F3, FE, CA, EB, 01, 9C, 8B, F5, C6, C4, B2, F3, E8, 08, 00, 00, 00, 7F, 9D, 1C, 50, 4C, 40, AB, F1, 33, EA, 0F, BE, D0, 0F, A4, C1, 24, 8B, F5, 5A, 39, C0, 85, D5, F7, D1, 89, E9, 73, 18, 81, F0, 59, 6E, 00, 00, EB, 01, E7, C7, C1, 37, 1E, 69, 88, 0F, A5, D3, 69, DA, A8, CB, 62, 9D, 81, C2, 92, BB, 00, 00, 0F, AF, FE, FF, C1, 0F, B7, FD, 13, CD, 81, C2, 57, C3, 00, 00, EB, 01, BC, F7, D1, 0F, BC, FE, 8D, 3D, 6C, 7F, 46, F1, 88, F0, 81, EA, 0C, 20, 00, 00, C1, D1, 8C, 0F, BC, FE, 8B, CD, 0F, AF, FE...
 
[+]

Entropy:
7.3402

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
run32

Command:
C:\win\lsass.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to h30.default-host.net  (138.201.56.16:80)

TCP (HTTP):
Connects to box383.bluehost.com  (69.89.31.183:80)

TCP (HTTP):
Connects to box361.bluehost.com  (69.89.31.161:80)

TCP (HTTP):
Connects to 217-160-0-4.elastic-ssl.ui-r.com  (217.160.0.4:80)

TCP (HTTP):
Connects to 217-160-0-39.elastic-ssl.ui-r.com  (217.160.0.39:80)

Remove lsass.exe - Powered by Reason Core Security